{"id":8148,"date":"2021-04-25T19:24:37","date_gmt":"2021-04-25T19:24:37","guid":{"rendered":"https://stoneline.com.tr/es/?page_id=8148"},"modified":"2023-03-01T13:21:30","modified_gmt":"2023-03-01T10:21:30","slug":"personal-data-storage-and-destruction-policy","status":"publish","type":"page","link":"https://stoneline.com.tr/es/personal-data-storage-and-destruction-policy/","title":{"rendered":"PERSONAL DATA STORAGE AND DESTRUCTION POLICY"},"content":{"rendered":"\n
This Personal Data Storage and Destruction Policy (“Policy”) is prepared by Stoneline Yapı Ürünleri San. A. Ş. Prepared as data controller with the purpose of fulfilling our obligations and determining the maximum storage period required for the purpose of processing personal data in accordance with Law No. 6698 on Protection of Personal Data (“LPPD” or “Law”) and the Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 (“Regulation”) which includes the second regulation of Law and using it as a basis for Erasure, destruction and anonymization operations and informing the relevant persons about these operations.
\n\n\n\nThis policy covers all the employees, consultants of the institution and its affiliates, suppliers and other real and legal entities with whom the institution has legal relations in all cases where personal data sharing is made, the personal data which are processed partially or fully automatic system or a system which is not automatic but a part of a data recording system and defined by law and sensitive personal data. Unless otherwise stated in the policy, personal data and sensitive personal data will be referred to as “Personal Data” together.
\n\n\n\nAll employees, consultants, external service providers and everyone who stores and processes personal data within the institution otherwise is responsible for fulfilling these requirements in fulfilling the requirements for the destruction of data specified by Law, Regulation and Policy. Each business unit is obliged to store and protect the data generated in its own business processes.
\n\n\n\nThe responsibility of the actions such as notifying or accepting the notifications or correspondence made to or from the PDP Board on behalf of the data controller and registering to the registry lies with the “Contact Person of the Data Controller.” “
\n\n\n\nAbbreviation | Description |
Explicit Consent | A consent about a specific subject based on information and expressed in free will. |
Related User | The persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction | Erasure, destruction or anonymization of personal data. |
Law / KVKK | Law on Protection of Personal Data No. 6698 |
Recording Medium | Any media in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system. |
Personal Data | Any information related to a real person who is identified or identifiable. |
Processing of Personal Data | All kinds of processes performed on personal data including obtaining them in fully or partially automatic ways or non-automatic ways provided that is i apart of a data recording system, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use. |
Anonymization of Personal Data | Making personal data not to be associated with any identified or identifiable real person in any way, even when paired with other data. |
Erasure of Personal Data | Erasure of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. |
Destruction of Personal Data | The process of rendering personal data inaccessible, unrecoverable and unusable by anyone in any way. |
Board | Personal Data Protection Board. |
Sensitive Personal Data | Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data of individuals. |
Periodic Destruction | In the event that all the processing conditions of personal data in the Law disappear, the process of erasure, destruction, or anonymization of the personal data that will be carried out at regular intervals specified in the storage and destruction policy. |
Data Subject/ Related Person | The real person whose personal data is processed. |
Data Controller | Real or legal entity responsible for identifying the purposes and means of personal data processing, and installing and managing data recording system. |
Regulation | Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017. |
Stoneline Yapı Ürünleri San. A. Ş. acts within the framework of the following principles in the storage and disposal of personal data:
\n\n\n\n____________________________________
\n\n\n\n1 a) Compliance with the rules of law and honesty, b) Being accurate and up-to-date when necessary, c) Processing for specific, clear and legitimate purposes, d) Being connected, limited and proportionate to the purpose for which they are processed, e) Storing for a period of time required for the purposes foreseen in the relevant legislation or for the purpose for which they are processed..
\n\n\n\nPersonal data belonging to data subjects, are stored securely by Stoneline Yapı Ürünleri San. A. Ş. in the physical or electronic environments listed above within the limits stipulated in LPPD or other related legislation especially for the purpose of (i) maintaining commercial activities, (ii) fulfilling legal obligations, (iii) planning and performing employee rights and benefits, and (iv) managing customer relations.
\n\n\n\nThe reasons requiring storage are as follows:
\n\n\n\nPursuant to the Regulation, in the cases listed below, personal data will be erased, destructed or anonymized by Stoneline Yapı Ürünleri San. A. Ş. , either on its own motion or upon the request of the related person:
\n\n\n\nStoneline Yapı Ürünleri San. A. Ş. uses the following criteria in determining the storage and destruction periods of your personal data obtained in accordance with the provisions of LPPD and other relevant legislation:
\n\n\n\nYou can access the storage, destruction and periodic destruction periods determined by Stoneline Yapı Ürünleri San. A. Ş. in the “Personal Data Processing Inventory” attached to the Policy.
\n\n\n\nPersonal data whose storage period has expired are destroyed in accordance with the procedures set out in the Policy with 6-month periods within the framework of the destruction periods included in the annex of the Policy.
\n\n\n\nIn this regard, all transactions related to the erasure, destruction and anonymization of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.
\n\n\n\nPersonal data belonging to data subjects, is stored in media listed below by Stoneline Yapı Ürünleri San. A. Ş. in compliance with provisions of LPPD, related legislation and within the scope of international data security principles:
\n\n\n\nAll administrative and technical measures taken by Stoneline Yapı Ürünleri San. A. Ş. within the framework of the principles in article 12 of the LPPD in order to keep your personal data securely, to process it illegally, to prevent access and to destroy the data in accordance with the law are listed below:
\n\n\n\nWithin the scope of administrative measures, Stoneline Yapı Ürünleri San. A. Ş.;
\n\n\n\nWithin the scope of technical measures, Stoneline Yapı Ürünleri San. A. Ş.;
\n\n\n\nYou can access the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in ANNEX-1 of this Policy.
\n\n\n\nIf the purposes for personal data processing stipulated in LPPD and Regulation are abolished, the personal data obtained by Stoneline Yapı Ürünleri San. A. Ş. in accordance with the LPPD and other relevant legislation will be destroyed by Stoneline Yapı Ürünleri San. A. Ş. on its own motion or upon request of related person, with the following techniques and in compliance with the provisions of Law and related legislation.
\n\n\n\nThe procedures and principles regarding the erasure and destruction of personal data by Stoneline Yapı Ürünleri San. A. Ş. are listed below:
\n\n\n\nErasure of Personal Data:
\n\n\n\nSecure Erasure from Software: While the data that is processed in fully or partially automatic ways and stored in digital media are erased; the methods are used to erase data from the relevant software in a way to make it inaccessible and unusable for the relevant users in any way.
\n\n\n\nErasing the relevant data in the cloud system by giving a erasure command; removing the relevant user’s access rights on the file or the directory where the file is located on the central server; the erasure of the relevant rows in the databases with database commands or the erasure of the data on the removable media, i.e. the flash media, by using appropriate software can be considered within this scope.
\n\n\n\nHowever, if the erasure of personal data will result in the inability to access and use other data within the system, personal data will also be deemed erased if personal data are archived by making them unrelated to the relevant person, provided that the following conditions are met.
\n\n\n\nSafe Erasure by Expert: In some cases, it may agree with an expert to erase personal data on its behalf. In this case, the personal data will be securely erased by the person who is an expert on this subject, making it inaccessible and unusable in any way for Related Users.
\n\n\n\nBlackening of Personal Data on Paper Media: It is a method of physically cutting the relevant personal data out of the document by physically cutting the personal data out of the document in order to prevent the unintended use of personal data or to erase the data requested to be erased, or to make it invisible using fixed ink in a way that cannot be recycled and cannot be read with technological solutions.
\n\n\n\nDestruction of Personal Data:
\n\n\n\nPhysical Destruction: Personal data can be processed in non-automatic ways, provided that it is a part of any data recording system. When erasing/destructing such data, the system of physical destruction of personal data is applied in a manner that it could not be used afterwards.
\n\n\n\nThe procedures and principles regarding the techniques of anonymizing personal data by Stoneline Yapı Ürünleri San. A. Ş. are listed below:
\n\n\n\nAnonymization Methods that do not Cause Value Irregularity
\n\n\n\nAnonymization methods that do not cause value irregularity, without any change or addition/removal to the personal data being stored, are methods of anonymization applied by generalizing any personal data group, replacing each other or removing a certain data or sub-data group from the group.
\n\n\n\nVariable Extraction: Existing data set is anonymized by removing “highly descriptive” variables from the data set created after combining the collected data with the method of extracting descriptive data.
\n\n\n\nRecord Extraction: In the record extraction method, the data line containing singularity among the data is removed from the records and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data of this person from the records where the seniority, salary and gender data of employees at the same level are kept.
\n\n\n\nRegional Hiding: In the regional hiding method, hiding the relevant data provides anonymization if a single data has a determinant quality because it creates a very less visible combination.
\n\n\n\nLower and Upper Limit Coding: With the lower and upper limit coding method, it is anonymized by combining the values in a data group with predefined categories by determining a certain criterion.
\n\n\n\nGeneralization: With the data aggregation method, many data are aggregated and personal data cannot be associated with any person.
\n\n\n\nGlobal Coding: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person.
\n\n\n\nAnonymization Methods that Cause Value Irregularities
\n\n\n\nUnlike those that do not provide value irregularities, changing some data creates distortion in personal data groups in anonymization methods that provide value irregularity. When using these methods, deviations in line with the expected/desired benefit will need to be applied carefully. By ensuring that the total statistics are not distorted, it is still possible to continue to benefit from the data as expected.
\n\n\n\nIn accordance with the 28th Article of the Law, if personal data are processed for purposes such as research, planning and statistics by anonymizing them through official statistics, this will remain outside the scope of the Law and explicit consent will not be required.
\n\n\n\nIn case of inconsistency between the provisions of the LPPD, other relevant legislation and this Policy, the provisions of the LPPD and other relevant legislation shall be valid.
\n\n\n\nThis Policy which is prepared by Stoneline Yapı Ürünleri San. A. Ş., entered into force on the date of 14.12.2020. In case of any change in made on the Policy, the effective date of the Policy and related articles will be updated accordingly. The update table is given in Appendix-3.
\n\n\n\nANNEX-1
\n\n\n\nPERSONNEL TITLE, UNIT AND POSITION LIST
\n\n\n\nPERSONNEL | POSITION | RESPONSIBILITY |
Lawyer | Business Partner as Data Processor Law Firm – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Human Resources | Business Partner as Data Processor Human Resources – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Purchasing | Business Partner as Data Processor Purchasing- Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Quality Control | Business Partner as Data Processor Quality Control – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
OHS | Business Partner as Data Processor OHS- Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Sales-Marketing | Business Partner as Data Processor Sales – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Accounting | Accounting Department – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
Information Technologies | Information Technologies – Responsible for implementing personal data storage and destruction policy | Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty |
ANNEX-2
\n\n\n\nSTORAGE AND DESTRUCTION PERIODS TABLE
\n\n\n\nThe storage and destruction periods of the data processed by the institution are determined on the basis of the process in the Personal Data Processing Inventory, and the said Inventory will be accessible through the institution.
\n\n\n\nIf the purpose of the Company to use the relevant personal data has not expired, if the storage period foreseen for the relevant personal data is longer than the periods specified in the table in accordance with the relevant legislation, or if the relevant statute of repose period requires the personal data to be stored longer than the periods specified in the table, the periods which are defined in the table above may not be applied. In this case; the purpose of use, special legislation or period of statute of repose, whichever expires later, shall be applicable.
\n\n\n\nPROCESS | STORAGE PERIOD | DESTRUCTION PERIOD |
Execution of Subsistence Allowance Processes | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Human Resources Management and Personnel File | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Responding to court/enforcement information requests regarding the personnel | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Shareholder and business court processes | During Shareholder Term | within 180 days after the expiration of storage period |
Preparation of agreements | 10 YEARS | within 180 days after the expiration of storage period |
Employment | 10 years after the end of the business relationship | within 180 days after the expiration of storage period |
Pay rolling | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Training Processes | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Invoicing Process | 10 YEARS | within 180 days after the expiration of storage period |
Transaction Security Password Details | 10 YEARS | within 180 days after the expiration of storage period |
Practices of Occupational Health and Safety | 10 YEARS | within 180 days after the expiration of storage period |
Workplace Warning Process | 10 YEARS | within 180 days after the expiration of storage period |
OHS Risk Assessment Report | 10 YEARS | within 180 days after the expiration of storage period |
Log/Record/Tracking Systems | 2 YEAR | within 180 days after the expiration of storage period |
Power of Attorney Processes | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Tracking of Shareholder Processes | During Shareholder Term | within 180 days after the expiration of storage period |
Travel Processes | 10 YEARS | within 180 days after the expiration of storage period |
Audit Processes | 10 YEARS | within 180 days after the expiration of storage period |
Execution of Job Application Processes | 6 MONTHS | within 180 days after the expiration of storage period |
Camera Records Management | 30 DAYS | within 30 days after the expiry of the storage period |
Annual Leave Follow-Up Process | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Foreign Personnel Residence Procedures | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Embezzlement Processes | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
OHS Expertise Processes | 10 YEARS | within 180 days after the expiration of storage period |
Payment Procedures | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Personnel Financial Processes | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Part of the contract process and maintenance of the contract | Until Legal Relationship Ends + 10 YEARS | within 180 days after the expiration of storage period |
Execution of Goods Sales Processes | 10 YEARS | within 180 days after the expiration of storage period |
Customer Satisfaction Measurement and Evaluation Process | 10 YEARS | within 180 days after the expiration of storage period |
Event and Organization Processes | 10 YEARS | within 180 days after the expiration of storage period |
Certificate Processes | 10 YEARS | within 180 days after the expiration of storage period |
Purchasing Processes | 10 YEARS | within 180 days after the expiration of storage period |
Foreign Sales Process | 10 YEARS | within 180 days after the expiration of storage period |
Dispatch Note Processes | 10 YEARS | within 180 days after the expiration of storage period |
Execution of Shipping Processes | 10 YEARS | within 180 days after the expiration of storage period |
INTRODUCTION AND PURPOSE OF THE POLICY This Personal Data Storage and Destruction Policy (“Policy”) is prepared by Stoneline Yapı Ürünleri San. A. Ş. Prepared as data controller with the purpose of fulfilling our obligations and determining the maximum storage period required for the purpose of processing personal data in accordance with Law No. 6698 onRead more ⟶
\n","protected":false},"author":4,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"PERSONAL DATA STORAGE AND DESTRUCTION POLICY","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"acf":[],"fimg_url":false,"_links":{"self":[{"href":"https://stoneline.com.tr/es/wp-json/wp/v2/pages/8148"}],"collection":[{"href":"https://stoneline.com.tr/es/wp-json/wp/v2/pages"}],"about":[{"href":"https://stoneline.com.tr/es/wp-json/wp/v2/types/page"}],"author":[{"embeddable":true,"href":"https://stoneline.com.tr/es/wp-json/wp/v2/users/4"}],"replies":[{"embeddable":true,"href":"https://stoneline.com.tr/es/wp-json/wp/v2/comments?post=8148"}],"version-history":[{"count":0,"href":"https://stoneline.com.tr/es/wp-json/wp/v2/pages/8148/revisions"}],"wp:attachment":[{"href":"https://stoneline.com.tr/es/wp-json/wp/v2/media?parent=8148"}],"curies":[{"name":"wp","href":"https://api.w.org/{rel}","templated":true}]}}