Storage and Destruction Policy of Personal Data

POLICY OF STORAGE, DISPOSAL AND ANONYMIZATION OF PERSONAL DATA

OBJECTIVE AND SCOPE
Personal Data Storage and Destruction Policy ("Policy"), (referred to as "PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ." Or "Company"), procedures and principles regarding the work and transactions regarding storage and destruction activities. It has been prepared to determine.

Our basic principle as a company; Company customers, patients, employees, employee candidates, service providers, visitors and the personal data of other third parties T.C. It is processed in accordance with the Constitution, international conventions and Personal Data Protection Law No.6698 ("Law") and other relevant legislation. In this context, it has been determined as a priority that the relevant persons do not lose their rights and use their rights effectively.

This Personal Data Storage and Destruction Policy is in line with the Law on the Protection of Personal Data No.6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data entered into force in the Official Gazette dated 28.10.2017 and numbered 30224 ("Regulation") and other legislation provisions. has been prepared.

DEFINITIONS
Buyer Group

The category of natural or legal persons to whom personal data is transferred by the data controller.

Open Consent

Consent on a specific subject, based on information and expressed with free will.

Anonymization

Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.

Working

PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. staff.

Electronic environment

Media where personal data can be created, read, changed and written with electronic devices

Electronic

Non

Environment

Other than electronic media, all written, printed, visual, etc. other environments.

Service provider

A natural or legal person providing services under a specific contract with the Personal Data Protection Authority.

Related person

The natural person whose personal data is processed.

Related User

Except for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.

Destruction

Deletion, destruction or anonymization of personal data.

Law

Personal Data Protection Law No. 6698.

Recording Media

Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system.

Personal Data

Any information that makes a person specific or identifiable.

Personal Data Processing Inventory

Personal data processing activities carried out by data controllers depending on the business processes; the purposes of processing personal data and the legal reason, the data category, the transmitted recipient group and the data subject group, and the inventory that they detail by explaining the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken for data security

Personal

Your data

Processing

Prevention of obtaining, recording, storing, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automated or non-automatic means provided that they are part of any data recording system. Any operations performed on such data.

Board

Personal Data Protection Board

Special

Qualified Personal

Data

Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Periodic Destruction

The deletion, destruction or anonymization process to be carried out automatically at repetitive intervals specified in the personal data storage and disposal policy in the event that all the conditions for processing personal data in the law are eliminated.

Policy

Personal Data Retention and Destruction Policy

Data Processor

The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller

Data Record System

A recording system in which personal data are structured and processed according to certain criteria.

Data Supervisor

Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System

The information system that data controllers will use in the application to the Registry and in other relevant transactions related to the Registry, accessible on the internet, created and managed by the Directorate

VERBIS

Data Controllers Registry Information System

regulation

Deletion of Personal Data published in the Official Gazette dated October 28, 2017,

Regulation on Destruction or Making Anonymous.

3. RECORDING MEDIA

The table below, PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. shows in which environments the personal data stored by Personal data stored by our company are stored in the most appropriate recording environment according to their nature and legal status.

Data Recording Media

Explanation

Electronic Media

Servers (Backup, E-mail, Web, File Sharing, etc.)

Information Security Device (Firewall, Log File, Antivirus, etc.)

Company Computers (Desktop, etc.)

Company Owned Mobile Devices (Telephone, etc.)

Removable Drives (USB, etc.)

Non-Electronic Environments

· Paper

Written, printed, visual media

RESPONSIBILITY AND DISTRIBUTIONS OF DUTIES
In accordance with subparagraph f of Article 6 of the Regulation, it is regulated that the titles, duties and units of persons involved in the storage and destruction processes of personal data must be specified. In this context, the titles, duties and units of the persons within the company in the matters of data security, management of storage and disposal processes, and taking technical and administrative measures in order to prevent the illegal processing and access of personal data, to ensure the legal storage of personal data.

Title

Job Description

Personal Data Manager

To direct all kinds of planning, analysis, research, risk determination studies in the projects carried out in the process of compliance with the law; The Law is obliged to manage the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy and other regulated policies and procedures and to decide on the requests from the relevant persons.

PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. Personal Data Protection Specialist

(Technical and Administrative)

From the requests of the relevant persons to be examined and reported to the Personal Data Manager for evaluation; Fulfilling the processes regarding the requests of the relevant person, which are evaluated and decided by the Personal Data Manager, in accordance with the decision of the Personal Data Manager; auditing the storage and disposal processes and reporting these controls to the Personal Data Manager; It is responsible for the execution of storage and disposal processes.

Human Resources Manager, Legal Affairs Officer, Patient Rights and Quality Director

It is responsible for the execution of policies in accordance with the job descriptions and controls on the protection, storage and destruction of personal data.

EXPLANATIONS ON STORAGE AND DISPOSAL
Within the company, personal data of the persons served are processed in accordance with the provisions of the Law and are stored in the recording media specified in this policy, but also destroyed as specified in this policy. In addition, our company stores and destroys personal data regarding its personnel.

Personal Data is stored based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the Law, and within this scope, personal data are stored during the validity of the conditions specified for the processing of personal data, when the processing conditions expire or the relevant person's application to our Company Upon request, personal data are deleted, destroyed or anonymized (after checking other legal obligations that our company must comply with).

Legal Reasons Requiring Storage

The personal data processed within the framework of the company's activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Labor Law No. 4857.
Turkish Commercial Code No. 6102.
Turkish Code of Obligations No. 6098.
Law No. 6502 on Consumer Protection.
Occupational Health and Safety Law No. 6331.
Personal Data Protection Law No. 6698.
Tax Procedure Law No. 213.
Social Insurance and General Health Insurance Law No. 5510.
Health Services Fundamental Law No. 3359.
Regulation on Processing of Personal Health Data and Protection of Privacy.
Processing Purposes Requiring Preservation

The company stores the personal data processed within the framework of its activities for certain purposes. In this context, the purposes are listed below.

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidates' Application Processes
Employee Contract and Fulfillment of Obligations Arising from Legislation
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethical Activities
Conducting Training Activities
Execution of Access Authorities
Conducting Activities in Compliance with Legislation
Execution of Finance and Accounting Affairs
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Conducting Internal Audit / Investigation / Intelligence Activities
Conducting Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Conducting Occupational Health / Safety Activities
Conducting Business Continuity Activities
Execution of Logistics Activities
Execution of Goods / Service Purchase Processes
Execution of Goods / Service Sales Processes
Execution of Customer Relationship Management Processes
Execution of Custody and Archive Activities
Execution of Contract Processes
Execution of Supply Chain Management Processes
Execution of Wage Policy
Ensuring the Security of Data Controller Operations
Giving Information to Authorized Person Institutions and Organizations
Conducting Management Activities
Ensuring the Security of Data Controller Operations

Causes Requiring Destruction

Personal data;

The amendment or abolition of the relevant legislation provisions that form the basis for processing,
The disappearance of the purpose requiring processing or storage,
In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,
In accordance with Article 11 of the Law, the application made by the Company for the deletion and destruction of personal data within the framework of the rights of the person concerned,
In the event that the company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds the answer inadequate or does not respond within the period stipulated in the Law Making a complaint to the Personal Data Protection Authority and approving this request by the Agency,
The maximum period for the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period,
The expiry of the storage periods specified in the relevant legislation,
they are deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company at the request of the person concerned.

TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURE STORAGE OF PERSONAL DATA, UNLAWFUL PROCESSING AND PREVENTION OF ACCESS
PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. Takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is kept with the relevant personal data in order to protect personal data securely and to prevent unlawful processing and access. In addition, our company takes technical and administrative measures within the framework of adequate measures determined and announced by the Personal Data Protection Authority for special quality personal data in accordance with Article 12 of the Law and paragraph 4 of Article 6 of the Law.

These measures include, but are not limited to, the following administrative and technical measures to the extent that they are in line with the nature of the relevant personal data and the environment in which it is stored.

5.1. Technical and administrative Measures

PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. Takes the following technical measures in accordance with the characteristics of the environment where the relevant data and data are stored in all environments where personal data are stored:

Network security and application security are provided.
Closed system network is used for personal data transfers via network.
Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
Training and awareness activities on Data Security for Employees are carried out at regular intervals.
An authority matrix has been created for the employees.
Access logs are kept regularly.
Confidentiality commitments are made.
Employees who have a job change or leave their job are removed from their authority in this field.
Current anti-virus systems are used.
Firewalls are used.
The signed contracts contain data security provisions.
Necessary security measures are taken for entering and exiting physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Personal data are backed up and the security of backed up personal data is also ensured.
User account management and authorization control system is applied and their follow-up is also performed.
Log records are kept without user intervention.
Intrusion detection and prevention systems are used.
The awareness of data processing service providers on data security is ensured.

PERSONAL DATA DISPOSAL TECHNIQUES
PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ., In accordance with the Law and other legislation and the Personal Data Processing and Protection Policy, deletes and destroys the personal data, in case the reasons requiring the processing of the data disappear, upon the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy. or makes it anonymous.

PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ., The techniques used by the deletion, destruction and anonymization are listed below:

6.1 Deletion Methods

Personal data are deleted with the methods given in the table below.

Deletion Methods for Personal Data Retained in Physical Environment

Blackout

Personal data in the physical environment are deleted using the blackout method. The blackout process is done by cutting the personal data on the relevant document whenever possible, and making it invisible by using fixed ink, which is irreversible and cannot be read with technological solutions.

Deletion Methods for Personal Data Retained in Cloud and Local Digital Environment / Software

Safe deletion from software

Personal data kept in cloud or local digital environments are deleted by digital command and made unavailable again, in a way that cannot be accessed by other relevant employees, except the database manager, at the end of the period that requires storage.

Personal Data on Servers

Deleting by removing access authorization

For those who have expired from the personal data on the servers, the access authorization of the relevant users is removed by the system administrator and the deletion is performed.

6.2 Methods of Destruction

Personal data are destroyed by the methods given in the table below.

Destruction Methods for Personal Data Stored in Physical / Printed Environment

Physical destruction

Documents kept in the printed environment are destroyed in such a way that they cannot be brought together by the document destruction machines.

Destruction Methods for Personal Data Retained in Local Digital Environment and Servers

Physical destruction

It is the physical destruction of optical and magnetic media that contain personal data, such as melting, burning or pulverizing. It is ensured that data is made inaccessible by processes such as melting, burning, powdering or passing the optical or magnetic media through a metal grinder.

De-magnetize (degauss)

It is the process of unreadable data corruption by exposing the magnetic media to a high magnetic field.

Overwrite

By writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media, it is prevented from reading and recovering old data.

Destroying access by deauthorizing

For those who have expired from the personal data on the servers, the access authorization of the relevant users is removed by the system administrator and the process of destruction is performed in a way that will not be accessible again.

Destruction Methods for Personal Data Held in the Cloud

Safe deletion from software

Personal data kept in the cloud is deleted by digital command so that it cannot be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

6.3 Anonymization Methods

PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. makes personal data unrelated to an identified or identifiable natural person, even through the use of appropriate techniques.

Personal data anonymizes with the methods given in the table below.

Anonymization Methods for Personal Data Stored in Physical / Printed Media

Subtracting variables

It is the removal of one or more of the direct identifiers that are included in the personal data of the relevant person and will be used to identify the person concerned in any way.

This method can be used to anonymize personal data, or it can also be used to delete personal data if there is information that is not suitable for the data processing purpose.

Regional concealment

It is the process of deleting any distinctive information regarding the data that is exceptional within the data table where personal data are collectively anonymous.

Generalization

It is the process of bringing together personal data belonging to many people, removing their distinctive information and turning them into statistical data.

Lower and upper limit coding / Global coding

For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numeric value, then the data close to each other in the variable are categorized. Values in the same category are combined.

Micro join

With this method, all records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, by taking the average of the value of each subset of the specified variable, the value of that variable of the subset is replaced with the average value. In this way, as the indirect identifiers in the data will be corrupted, it becomes difficult to associate the data with the relevant person.

Data hashing and distortion

By mixing or distorting direct or indirect identifiers in personal data with other values, their relationship with the relevant person is broken and they lose their descriptive qualities.

Anonymization Methods for Personal Data in Digital Environment / Servers / Cloud

Masking (Encrypt, use icons, blur, shuffle, override)

Data masking is making personal data incomprehensible to prevent unauthorized access. This method is used to prevent confidential and sensitive information in the organization from leaking inside and outside the organization and being seized by malicious people. In data masking, the data format is not changed, only the values are changed, but this change is made in a way that it will not be detected and returned in any way. In addition, by determining who can access which data, it is ensured that only authorized persons can see the information they need to see and other information is masked.

STORAGE OF PERSONAL DATA AND DESTRUCTION PERIODS
PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. With regard to the personal data being processed within the scope of its activities;

Storage periods based on personal data related to all personal data within the scope of activities carried out depending on the processes PEKİNTAŞ YAPI İNŞAAT SAN. VE TİC. LTD. ŞTİ. In the Personal Data Processing Inventory;
Storage periods based on data categories are registered to VERBIS;
Process-based retention periods are included in the Personal Data Retention and Destruction Policy.
In case of need, Pekintaş Yapı San ve Tic. Ltd. Şti., Updates are made.

8.1 Storage and Destruction Periods

Process

Storage Period

Destruction Period

Data stored under the Labor Law (e.g. performance records etc.)

5 years following the termination of the business relationship