PAYNA GRUP TURİZM GIDA SANAYİ VE TİCARET ANONİM ŞİRKETİ
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Purpose of the Destruction Policy
This Personal Data Storage and Destruction Policy ( the “Policy”) has been developed by Payna Grup Turizm Gıda Sanayi ve Ticaret Anonim Şirketi (the “Company”) acting as the data controller to set out the procedures and principles to be followed by the Company to delete, destroy or anonymize personal data possessed by us in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and applicable legislation, whether by the Company ex officio or upon the request of the data subject.
This Policy shall apply to the personal data of our employees, employee candidates, customers, visitors, managers, dealers, employees of companies we cooperate with, receive services/products from and/or provide services/products to, and other third parties, which are in the possession of the Company. The terms of this Policy shall apply to all recording environments where personal data of the aforementioned persons are processed and to activities related to the processing of personal data.
2. Storage Media of Personal Data
Personal data stored by the Company shall be maintained in a recording environment appropriate to the nature of the relevant data and our legal obligations.
The recording media used to store personal data are generally those listed below. However, some data may be maintained in a different environment than the environments shown herein due to their special characteristics or our legal obligations. In all cases, the Company acts as a data controller and processes and protects personal data in accordance with the KVKK, the Personal Data Processing, Protection and Privacy Policy (you can access the policy at www.paynagrup.com) and this Personal Data Storage and Destruction Policy.
Electronic Media | Non-Electronic Media |
Servers (Database, email, web, backup, file sharing, etc.) | Paper |
Software (Microsoft Office program) | Unit cabinets |
Mobile devices owned by the Company (mobile phones, tablets) | Folders |
Personal computers (desktop, laptop) | Archive room |
Optical discs (CD, DVD) | |
Removable memories (USB, Memory Card) | |
Camera recording area | |
Printers, scanners, and photocopiers |
Security of Environments
The Company takes the necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is maintained in order to ensure that personal data is stored securely, and to prevent unlawful processing and access of it. In this context, the Company’s personnel are informed and regularly trained in accordance with the applicable legislation. Computer systems are closed circuit.
These measures include the following administrative and technical measures to the extent appropriate to the nature of the personal data and the environment in which it is maintained.
3.1. Technical Measures
The Company takes the following technical measures for the personal data it processes:
Only up-to-date and secure systems that are compatible with technological developments are used in environments where personal data is stored.
Security systems are used for environments where personal data is stored.
Security tests are conducted to identify security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests are eliminated.
Up-to-date anti-virus systems are used.
Firewalls are used.
Access to the environments where personal data is stored is restricted, and only authorized persons are allowed to access this data, limited to the purpose of storing the personal data, and all access is recorded.
The powers of employees who are appointed to another job or dismissed in this area shall be revoked.
The Company has sufficient technical personnel and/or receives technical services from contracted companies to ensure the security of the environments where personal data is stored.
2 Administrative Measures
The Company takes the following administrative measures for the personal data it processes:
Periodic activities are carried out to increase the awareness of all Company employees who have access to personal data on data security and confidentiality of personal data.
Legal and technical consultancy services are received to follow developments in the field of data security and to take the necessary actions.
Personal data security policies and procedures are set.
Signed contracts include data security terms.
Personal data security issues are reported.
In case personal data is transferred to third parties due to technical or legal requirements, a protocol is signed with the relevant third parties for the purpose of protecting the personal data and/or a commitment is obtained from the relevant third parties to comply with their confidentiality obligations.
3. Internal Audit
In accordance with Article 12 of the Law, the Company conducts internal audits regarding the implementation of the provisions of the Law, this Policy and the Personal Data Processing, Protection and Privacy Policy.
If any faults or defects are detected in the implementation of the provisions as a result of internal audits, they shall be immediately remedied.
If it is understood during an audit or otherwise that personal data under the responsibility of the Company has been obtained by others through illegal means, the Company shall notify the relevant person and the Board of this situation as soon as possible.
4. Reasons for Storage and Destruction
Personal data in the possession of the Company is stored in accordance with the KVKK and our Personal Data Processing, Protection and Privacy Policy, for the purposes and reasons specified herein.
Personal data in the possession of the Company shall be deleted, destroyed or anonymized in accordance with this Policy upon the request of the relevant person or if the reasons listed in Articles 5 and 6 of the KVKK no longer exist.
The reasons listed in Articles 5 and 6 of the Law are as follows:
It is clearly required by the Laws.
It is necessary for the protection of the life or physical integrity of a person or someone else who is unable to give their consent due to a physical impossibility or whose consent is not legally valid.
It is necessary to process personal data of the parties to a contract if it is directly related to the establishment or performance of this contract.
It is mandatory for the data controller to fulfill its legal obligation.
It is made public by the relevant person.
It is required to process data for the establishment, exercise or protection of a right.
It is required to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
5. Destruction Methods
The Company shall delete, destroy or anonymize personal data it stores in accordance with the KVKK, other legislation and the Personal Data Processing, Protection and Privacy Policy, upon the request of the relevant person or ex officio within the periods specified in this Policy, if the reasons requiring the processing of the data no longer exist.
The most commonly used deletion, destruction and anonymization techniques by the Company are listed below:
5.1. Deletion Methods
Deletion Methods for Personal Data Stored on Printed Media
Blackout: Personal data on printed media is deleted using the blackout method. The blackout process is carried out by cutting the personal data on the document if possible, or if not possible, by making it invisible using fixed ink in a way that is irreversible and unreadable with technological solutions.
Deletion Methods for Personal Data Stored on the Cloud and Local Digital Media
Secure deletion from software: Personal data stored on the cloud or local digital media is deleted with a digital command in a way that cannot be recovered again. Data deleted in this way cannot be accessed again.
5.2. Destruction Methods
Destruction Methods for Personal Data Stored on Printed Media
Physical destruction: Documents maintained in printed form are destroyed with document shredders in such a way that they cannot be put back together again.
Destruction Methods for Personal Data Stored on Local Digital Media
Physical destruction: Optical and magnetic media containing personal data are physically destroyed, such as by melting, physically damaging (puncturing, breaking), burning or pulverizing them to render them unusable. Data is rendered inaccessible by processes such as melting, burning, physically damaging (puncturing, breaking), pulverizing or passing through a metal grinder to render optical or magnetic media unusable.
Degauss: Exposing the magnetic media to a high magnetic field to corrupt the data on it in an unreadable manner.
Overwriting: Random data consisting of 0s and 1s is written at least seven times on the magnetic media and rewritable optical media to prevent the reading and recovery of old data.
Destruction Methods for Personal Data Stored on the Cloud
Secure deletion from software: Personal data stored on the cloud is deleted by digital command in a way that it cannot be recovered again. When the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.
5.3. Anonymization Methods
Anonymization is the process of making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even when matched with other data.
Removal of variables: Removing one or more direct identifiers contained in the personal data of the relevant person that would allow the relevant person to be identified in any way. This method can be used to anonymize personal data, or to delete information in personal data that is not compatible with the purpose of data processing.
Local concealing: Deleting information that may be distinctive about the data that is an exception within the data table where personal data is collectively and anonymously stored.
Generalization: Bringing together personal data belonging to many people and turning them into statistical data by removing distinguishing information.
Lower and upper bound coding/Global coding: For a specific variable, ranges are defined and categorized. If the variable does not contain a numerical value, then the data that is close to each other within the variable are categorized. The values remaining in the same category are combined.
Micro combining: With this method, all records in the dataset are first sorted in a meaningful order and then the entire set is divided into a certain number of subsets. Then, the average of the value of the specified variable of each subset is taken and the value of that variable of the subset is replaced with the average value. So, since the indirect identifiers in the data will be corrupted, it becomes difficult to associate the data with the relevant person.
Data mixing and corruption: Direct or indirect identifiers in personal data are mixed with other values or corrupted so that the relationship with the relevant person is lost, causing them to lose their identifying qualities.
The Company uses one or more of these anonymization methods to anonymize personal data, depending on the nature of the data. The Company may use the K-Anonymity, L-Diversity and T-Closeness statistical methods for the use of the anonymization methods.
6. Storage Period
Data Subject | Data Categories | Storage Period |
Employee | Employee’s identity information, personnel information, contact information, legal contact information, salary information, professional experience information and training received, employee performance and compliance information, criminal conviction and security, work uniform size, fringe benefits information, financial information, location data, vehicle/license plate information, location information | 10 years from the termination of the employment contract. |
Employee | Data obtained through access to hardware and software | 2 years from the termination of the employment contract |
Business Partner/Solution Partner/Consultant | Business Partner/Solution Partner (Dealer/Franchise/Supplier)/ Identity information, contact information, financial information and data regarding their employees regarding the conduct of the business/commercial relationship between the Consultant and the Company. | Business Partner/Solution Partner (Dealer/Franchise/Supplier)/ 10 years for the duration of the business/commercial relationship between the Consultant and the Company and after its termination, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code. |
Website Visitors | Name, surname, e-mail address, cookies and log records of the website visitor. | Stored for 6 months, maximum 2 years. Data on the online visitors is stored for 2 years. |
Visitor | Traffic data processed during the use of the company's internet network, access to the internet and remote connection; IP address, start and end time of the service provided, type of service used, amount of data transferred and subscriber identification information, if any, etc. | 2 years. |
Visitor | Voice recordings from call center calls. | 2 years. |
Employee Candidate | Information included in the CV and job application form of the Employee Candidate. | When the recruitment for the position in question is completed, the CVs and resumes will be destroyed. If consent is obtained from the candidates to keep their CVs and resumes for evaluation in future positions, the data will be stored for 1 year. |
Intern | Information included in the internship file of the intern. | 10 years from the calendar year following the end of the internship relationship. |
Customer | Customer's name, surname, contact information, product/service preferences, transaction history, special day information. | 10 years from the date of delivery of each product/service purchased by the Customer, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code |
Customer | Customer's camera footages, vehicle license plate information. | 2 years. |
Potential Customer | Identity information, contact information and financial information obtained during the contract negotiations regarding the establishment of a commercial relationship between the potential customer and the Company. | 2 years. |
Consumer | Data obtained by the Company through distance sales contracts concluded with consumers. | 3 years. |
Company/ Sole Proprietorship | Legal Action | 10 years following the conclusion of the legal action. |
Customer/Supplier/Franchise | Preparation of contracts | 10 years following the termination of the contract |
* If a longer period is set out in the legislation or a longer period is foreseen for the statute of limitations, limitation periods, storage periods etc., the periods in the provisions of the legislation shall be deemed the maximum storage period.
7. Destruction Periods
The Company shall delete, destroy or anonymize personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data for which it is responsible arises in accordance with the KVKK, applicable legislation, the Personal Data Processing, Protection and Privacy Policy and this Policy.
When the relevant person applies to the Company pursuant to Article 13 of the Law and requests the deletion or destruction of their personal data:
If all conditions for processing personal data no longer exist, the Company shall delete, destroy or anonymize the requested personal data with the reason within 30 (thirty) days from the date of receipt of such request, using an appropriate destruction method. In order for the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing, Protection and Privacy Policy. In any case, the Company shall inform the relevant person about the action taken.
If not all of the conditions for processing personal data exist, such request may be rejected by the Company, explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection shall be notified to the relevant person in writing or electronically within thirty days at the latest.
8. Periodical Destruction
In case all the processing conditions of personal data specified in the law no longer exist, the Company shall delete, destroy or anonymize the personal data with processing conditions no longer exist through a process that is described in this Personal Data Storage and Destruction Policy and will be performed ex officio at recurring intervals.
9. Audit of Compliance of Destruction with Law
The Company complies with Law, other legislation, the Personal Data Processing and Privacy Policy and this Policy for the destruction, whether upon request or ex-officio periodic destruction processes. The Company takes a number of administrative and technical measures to ensure that destruction is performed in accordance with these regulations.
10. Technical Measures
The Company keeps technical tools and equipment suitable for each destruction method in this policy.
The company ensures the security of the location of destruction.
The Company maintains access logs of those performing the destruction.
The Company employs competent and experienced employees to perform the destruction or, when necessary, receives services from competent third parties.
Administrative Measures
The Company makes an effort to increase the awareness of its employees who perform destruction on information security and confidentiality of personal data.
The company receives legal and technical consultancy services to follow developments in the field of information security, personal data protection and secure destruction techniques and to take necessary actions.
Where the Company engages third parties to perform destruction due to technical or legal requirements, it shall sign protocols with such third parties for the protection of personal data. The Company takes action to ensure that third parties comply with their obligations under these protocols.
The Company regularly checks whether the destruction is performed in accordance with the law and the conditions and obligations in this Policy, and takes the necessary actions.
The Company records all actions related to the deletion, destruction and anonymization of personal data and keeps the records for at least three years, excluding other legal obligations.
Personal Data and Compliance
Each unit and department that processes personal data, especially the Human Resources Department/Unit, is directly responsible for the implementation of this Policy. Legal advisors are in the position of guides and consultants in the follow-up and interpretation of applicable laws and the legal follow-up of KVKK process.
Updating and Compliance
The Company reserves the right to make modifications to the Personal Data Processing, Protection and Privacy Policy or this Policy due to amendments to the KVKK, in accordance with the resolutions of KVK Board, or in line with the developments in the industry or in the field of informatics.
Modifications to this Policy shall be immediately reflected on the text and the reasons for modifications are provided at the end of the Policy.
Last Revision Date: 29 December 2023