Personal Data Retention and Disposal Policy
PERSONAL DATA RETENTION AND DISPOSAL POLICY
1. PURPOSE AND SCOPE
The Personal Data Retention and Disposal Policy ("Policy") has been prepared by Çeşit Parlatıcı Zımpara Sanayi ve Ticaret Limited Şirketi ("Çeşit" or "the Company") to establish procedures and principles regarding retention and disposal activities.
Our fundamental principle as a Company is to process personal data belonging to our customers, employees, job applicants, service providers, visitors and other third parties in compliance with the Turkish Constitution, international conventions, Law No. 6698 on the Protection of Personal Data ("Law") and other relevant legislation. In this context, preventing rights violations of data subjects and enabling effective exercise of their rights have been determined as priorities.
This Personal Data Retention and Disposal Policy has been prepared in compliance with Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28.10.2017 ("Regulation") and other legislation provisions.
2. DEFINITIONS
| Term | Definition |
|---|---|
| Recipient Group | Category of real or legal persons to whom personal data is transferred by the data controller. |
| Explicit Consent | Consent given based on information and freely declared regarding a specific subject. |
| Anonymization | Rendering personal data impossible to associate with an identified or identifiable natural person, even by matching with other data. |
| Employee | Company personnel. |
| Electronic Medium | Environments where personal data can be created, read, modified and written by electronic devices. |
| Non-Electronic Medium | All written, printed, visual etc. media other than electronic media. |
| Service Provider | Real or legal person providing services under a specific contract with the Personal Data Protection Authority. |
| Data Subject | Natural person whose personal data is processed. |
| Related User | Persons processing personal data within the data controller organization or authorized by the data controller, excluding those responsible for technical storage, protection and backup of data. |
| Disposal | Deletion, destruction or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Recording Medium | Any medium containing personal data processed wholly or partly by automated means or as part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Processing Inventory | Inventory detailing personal data processing activities by purposes, legal grounds, data categories, recipient groups and data subject groups, including maximum retention periods and security measures. |
| Processing of Personal Data | Any operation performed on personal data including collection, recording, storage, modification, reorganization, disclosure, transfer, acquisition, classification, or blocking access. |
| Board | Personal Data Protection Board. |
| Special Category Personal Data | Data relating to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Periodic Disposal | Deletion, destruction or anonymization of personal data performed ex officio at recurring intervals when all conditions for processing cease to exist. |
| Policy | Personal Data Retention and Disposal Policy. |
| Data Processor | Real or legal person processing personal data on behalf of the data controller. |
| Data Recording System | Recording system where personal data is structured and processed according to specific criteria. |
| Data Controller | Real or legal person determining purposes and means of processing personal data, responsible for establishing and managing data recording system. |
| Data Controllers Registry Information System (VERBIS) | Information system created and managed by the Presidency for data controllers' registry applications. |
| Regulation | Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017. |
3. RECORDING MEDIA
The table below shows the media where personal data stored by the Company is recorded. Personal data is stored in the most appropriate medium based on its nature and legal status.
| Data Recording Medium | Description |
|---|---|
| Electronic Media | - Servers (Email etc.) - Information Security Devices (Firewall, Antivirus etc.) - Company Computers (Desktop etc.) - Optical Discs (CD, DVD etc.) - Removable Memory (USB etc.) |
| Non-Electronic Media | - Paper - Written, printed, visual media |
4. RESPONSIBILITIES AND TASK DISTRIBUTION
Article 6(f) of the Regulation requires specifying titles, duties and units of persons involved in personal data retention and disposal processes. Accordingly, the following roles are defined to prevent unlawful processing/access and ensure lawful retention:
| Title | Job Description |
|---|---|
| Personal Data Manager (Contact Person) | Responsible for directing compliance projects, managing processes according to policies, and deciding on data subject requests. |
| Company Personal Data Protection Specialist (Technical and Administrative) | Responsible for evaluating data subject requests, implementing disposal decisions, and auditing retention/disposal processes. |
| HR Department Manager, Accounting Department Manager | Responsible for implementing policies and conducting audits regarding personal data protection. |
5. RETENTION AND DISPOSAL EXPLANATIONS
The Company processes personal data in compliance with the Law, retains it in media specified in this Policy, and disposes it as specified herein.
Personal Data is retained based on one or more processing conditions under Articles 5 and 6 of the Law. When these conditions cease to exist or upon data subject request (after verifying other legal obligations), data is deleted, destroyed or anonymized.
Legal Grounds Requiring Retention
Personal data processed by the Company is retained for periods stipulated in relevant legislation including:
Labor Law No. 4857
Turkish Commercial Code No. 6102
Turkish Obligations Code No. 6098
Consumer Protection Law No. 6502
Occupational Health and Safety Law No. 6331
Personal Data Protection Law No. 6698
Tax Procedure Law No. 213
Social Insurance and General Health Insurance Law No. 5510
Processing Purposes Requiring Retention
The Company retains personal data for specific purposes including:
Emergency Management Processes
Information Security Processes
Job Application Processes
Fulfillment of Employment Contracts and Legal Obligations
Employee Benefits Processes
Legal Compliance of Operations
Legal Affairs Management
Goods/Services Procurement
Goods/Services Sales
Archiving Activities
Complaint Management
Information Disclosure to Authorities
Visitor Records Management
Grounds Requiring Disposal
Personal data is deleted, destroyed or anonymized when:
Relevant legislation is amended/repealed
Processing purpose ceases to exist
Explicit consent is withdrawn (if processing was consent-based)
Data subject request is accepted under Article 11
Data subject complaint to Authority is upheld
Maximum retention period expires without justification
Statutory retention periods expire
6. TECHNICAL AND ADMINISTRATIVE MEASURES FOR SECURE RETENTION AND PREVENTION OF UNLAWFUL PROCESSING/ACCESS
Çeşit takes all necessary technical and administrative measures appropriate to the nature of personal data and storage medium. Additional measures are taken for special category data as determined by the Board.
6.1 Technical Measures
Employee authorization matrix
Revoking access for transferred/separated employees
Updated antivirus systems
Firewalls
Physical access controls
Immutable log records
Encrypted transfer of special category data via corporate email/KEP
Encryption
Encrypted transfer of special category data on portable media
6.2 Administrative Measures
Regular employee training
Corporate policies on access, security, usage, retention and disposal
Confidentiality agreements
Personal data security policies/procedures
Security monitoring
Physical security against external risks (fire, flood etc.)
Secure physical environments
Data minimization
Special protocols for special category data
7. PERSONAL DATA DISPOSAL TECHNIQUES
Çeşit deletes, destroys or anonymizes personal data when processing grounds cease to exist, either upon request or ex officio as specified in this Policy.
7.1 Deletion Methods
| Medium | Method |
|---|---|
| Physical Media | Redaction: Making personal data unreadable by cutting or permanent ink |
| Cloud/Local Digital Media | Secure digital deletion via database administrator |
| Servers | Access revocation and deletion by system administrator |
7.2 Destruction Methods
| Medium | Method |
|---|---|
| Physical/Printed Media | Physical destruction via document shredders |
| Local Digital Media/Servers | Physical destruction (melting/burning/pulverizing), degaussing, overwriting (7x) |
| Cloud Media | Irreversible digital deletion and encryption key destruction |
7.3 Anonymization Methods
Çeşit renders personal data impossible to associate with an identifiable person using:
