INTRODUCTION AND PURPOSE OF THE POLICY
This Personal Data Retention and Disposal Policy (“Policy”) has been prepared by Jilda Bal İnsan Kaynakları Yönetim Danışmanlığı (“GILDA&PARTNERS” or the “Company”), in its capacity as the data controller, in accordance with the Personal Data Protection Law No. 6698 (“KVKK” or the “Law”) and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (“Regulation”), published in the Official Gazette on October 28, 2017. The Policy aims to fulfill our obligations under these regulations and to inform data subjects about the principles for determining the maximum retention period necessary for the purposes for which personal data is processed, as well as the processes for deleting, destroying, or anonymizing such data.
All units of GILDA&PARTNERS are required to comply with this Policy and take the necessary steps to ensure compliance.
All types of personal data shared with GILDA&PARTNERS or obtained by GILDA&PARTNERS fall within the scope of this Policy. This Policy applies exclusively to personal data of natural persons; data related to legal entities are not covered by the Policy.
In the event of any inconsistency between this Policy and KVKK, the Regulation, or other applicable legislation, the provisions of the legislation shall prevail. GILDA&PARTNERS undertakes to ensure compliance with this Policy, as well as with the tools, programs, and processes implemented in accordance with it, during the deletion, destruction, or anonymization of personal data processed within its organization.
DEFINITIONS
| Abbreviation | Definition |
| Recipient Group | The category of natural or legal persons to whom personal data is transferred by the Data Controller. |
| Explicit Consent | Consent that is based on being informed about a specific subject and freely expressed. |
| Anonymization | The process of rendering personal data incapable of being associated with an identified or identifiable natural person, even by matching with other data. |
| Electronic Environment | Environments where personal data can be created, read, modified, and written using electronic devices. |
| Non-Electronic Environment | All written, printed, visual, and other environments other than electronic environments. |
| Service Provider | A natural or legal person providing services to GILDA&PARTNERS within the framework of a specific agreement. |
| Data Subject | The natural person whose personal data is processed. |
| Destruction | The deletion, destruction, or anonymization of personal data. |
| Law/KVKK | Personal Data Protection Law No. 6698. |
| Recording Environment | Any environment where personal data is processed, whether automatically, partially automatically, or non-automatically as part of a data recording system. |
| Personal Data Processing Inventory | An inventory created and detailed by Data Controllers by associating the personal data processing activities they carry out depending on their workflows with data processing purposes, data categories, recipient groups, and data subject groups. |
| Deletion | Rendering personal data inaccessible and unusable for relevant users in any way. |
| Destruction | Rendering personal data inaccessible, irretrievable, and unusable for anyone. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing of Personal Data | Any operation performed on personal data, wholly or partially by automatic means or otherwise as part of a data recording system, such as collection, recording, storage, retention, modification, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use. |
| Board | The Personal Data Protection Board. |
| Personal Data Protection and Processing Policy | The policy established by GILDA&PARTNERS to regulate the procedures and principles regarding all processes related to the acquisition, recording, protection, and transfer of personal data. |
| Special Categories of Personal Data | Data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. |
| Policy | This Personal Data Retention and Disposal Policy. |
| GILDA&PARTNERS | Jilda Bal Human Resources Management Consultancy. |
| Periodic Disposal | The process of deletion, destruction, or anonymization of personal data, carried out periodically and automatically as stipulated in the personal data retention and disposal policy when the conditions for processing personal data defined in the Law cease to exist. |
| Data Processor | A natural or legal person processing personal data on behalf of the Data Controller based on the authority granted by the Data Controller. |
| Data Recording System | The recording system where personal data is structured and processed according to specific criteria. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| VERBIS | The Data Controllers Registry Information System. |
| Regulation | The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017. |
PRINCIPLES TO BE OBSERVED IN THE RETENTION AND DISPOSAL OF PERSONAL DATA
GILDA&PARTNERS adheres to the following principles in the retention and disposal of personal data:
The deletion, destruction, and anonymization of personal data are carried out in full compliance with the principles listed in Article 4 of the Law, the technical and administrative measures specified in Article 7 of this Policy and Article 12 of the Law, applicable legislative provisions, decisions of the Board, and this Policy.
Unless the Board decides otherwise, GILDA&PARTNERS selects the appropriate method among deletion, destruction, or anonymization methods for personal data. However, if requested by the Data Subject, the appropriate method will be selected with justification provided. If all conditions for the processing of personal data specified in Articles 5 and 6 of the Law no longer exist, GILDA&PARTNERS deletes, destroys, or anonymizes the data either ex officio or upon the Data Subject’s request. In cases where the Data Subject submits a request to GILDA&PARTNERS regarding this matter:
- Requests are finalized within 30 (thirty) days at the latest, and the Data Subject is informed.
- If the data subject to the request has been transferred to third parties, the third parties are notified, and necessary actions are ensured to be taken by those parties.
- If it is determined that the conditions for processing personal data have not ceased to exist, GILDA&PARTNERS may reject the request with justification. In such cases, the Data Subject will be informed in writing or electronically within 30 (thirty) days from the date the request reaches GILDA&PARTNERS.
EXPLANATIONS REGARDING THE REASONS FOR RETENTION AND DISPOSAL
Article 3 of the Law defines the concept of personal data processing, and Article 4 stipulates that personal data processed must be related to, limited to, and proportionate with the purposes for which they are processed and must be retained for the duration required by applicable legislation or for the purpose of processing. Articles 5 and 6 specify the conditions under which personal data may be processed.
Accordingly, GILDA&PARTNERS retains Personal Data within the framework of its activities for the duration specified by applicable legislation or for the duration appropriate for processing purposes.
Processing Purposes Requiring Retention
The Personal Data of data subjects held within GILDA&PARTNERS is retained for the following purposes, in accordance with KVKK and other applicable legislation, as well as the Personal Data Protection and Processing Policy:
- Conducting corporate communication activities with customers,
- Managing recruitment and placement processes,
- Receiving and handling customer requests and complaints,
- Conducting customer consultancy processes and executing contracts,
- Performing billing processes for customers,
- Sending promotional emails and making calls to potential customers,
- Participating in marketing and promotion activities through fairs, symposiums, panels, and congresses,
- Conducting customer visits,
- Managing service procurement and supply processes, including payments and billing,
- Making withholding tax payments,
- Submitting VAT lists,
- Managing communication and business relationships with banks,
- Establishing and managing information technology infrastructure,
- Collecting candidate resumes and receiving applications through the website and various online platforms,
- Evaluating candidate applications to be presented to customers as part of consultancy activities,
- Sharing candidate resumes matching customers’ demands and operations with relevant customers,
- Conducting communication activities,
- Managing human resources processes,
- Ensuring business continuity,
- Conducting marketing and promotional activities,
- Managing supplier relationships,
- Conducting consultancy service procurement processes,
- Managing accounting processes,
- Ensuring data security and conducting data storage activities,
- Enhancing the functionality and performance of the website,
- Personalizing special services offered to data subjects,
- Fulfilling GILDA&PARTNERS’ obligations arising from legislation or other legal responsibilities, including providing information to public institutions and organizations,
- Following lawsuits, enforcement proceedings, administrative and criminal investigations or prosecutions related to GILDA&PARTNERS and fulfilling the burden of proof as evidence in legal disputes.
Legal Reasons Requiring Retention
a) Retaining personal data due to its direct relevance to the establishment and performance of contracts.
b) Retaining personal data for the establishment, exercise, or protection of a legal right.
c) Retaining personal data due to the necessity of its retention for GILDA&PARTNERS’ legitimate interests, provided it does not harm the fundamental rights and freedoms of individuals.
d) Retaining personal data to fulfill GILDA&PARTNERS’ legal obligations.
e) Retaining personal data explicitly required by applicable legislation.
f) For retention activities requiring the explicit consent of the Data Subject, ensuring the explicit consent of the Data Subject has been obtained.
Reasons Requiring Disposal
In accordance with the Regulation, the personal data of Data Subjects will be deleted, destroyed, or anonymized by GILDA&PARTNERS either ex officio or upon request in the following circumstances:
a) If the legislative provisions forming the basis for the processing or retention of personal data are amended or repealed.
b) If the purpose requiring the processing or retention of personal data no longer exists.
c) If the conditions for processing personal data listed in Articles 5 and 6 of the Law cease to exist.
d) If personal data is processed solely based on the condition of explicit consent, and the Data Subject withdraws their consent.
e) If the Data Subject requests the deletion, destruction, or anonymization of their personal data in accordance with Articles 11(e) and 11(f) of the Law, and the Data Controller accepts the request.
f) In cases where the Data Controller rejects the Data Subject’s request for the deletion, destruction, or anonymization of their Personal Data, provides an insufficient response, or fails to respond within the timeframe stipulated by the Law; if a complaint is filed with the Board and the request is deemed appropriate by the Board, and if the maximum retention period for the Personal Data has expired with no conditions justifying a longer retention period.
RETENTION AND DISPOSAL PERIODS
Regarding the Personal Data processed by GILDA&PARTNERS in compliance with KVKK and other applicable legislation:
- If a retention period is specified in the legislation, that period will be adhered to.
- If no retention period is specified in the applicable legislation, reasonable retention periods for the data will be determined within the framework of exceptions identified under KVKK.
When the determined retention periods expire, the Personal Data will be deleted, destroyed, or anonymized.
The retention, disposal, and periodic disposal periods determined by GILDA&PARTNERS can be accessed in the “Retention and Disposal Periods Table” provided in the appendix [Annex-1] of this Policy. Retention periods for process-based data are documented in the “Personal Data Processing Inventory,” and retention periods for data categories are recorded in VERBIS.
PERIODIC DISPOSAL
If the retention period of Personal Data expires or if it is determined that the reasons requiring the processing of the data no longer exist, even in the absence of a request from the Data Subject, the relevant Personal Data will be deleted, destroyed, or anonymized during the first periodic disposal process following the elimination of such reasons.
The periodic disposal of Personal Data is carried out every 6 (six) months. However, if the Board determines a shorter period for periodic disposal in cases where there is a clear illegality or irreparable or impossible damages, this shorter period will be adhered to.
All actions related to the deletion, destruction, and anonymization of Personal Data are recorded, and such records are retained for at least three years, excluding other legal obligations.
MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA AND PREVENT UNLAWFUL PROCESSING AND ACCESS
To ensure the secure retention of your Personal Data, prevent its unlawful processing or access, and ensure its lawful disposal, GILDA&PARTNERS implements all necessary administrative and technical measures in accordance with the principles in Article 12 of KVKK and the adequate measures determined and announced by the Board for the processing of special categories of personal data as per Article 6(4) of KVKK.
Administrative Measures:
Under its administrative measures, GILDA&PARTNERS takes the following actions:
a) All units of GILDA&PARTNERS are trained and informed about the lawful processing of Personal Data.
b) Access to stored Personal Data is restricted to authorized personnel and GILDA&PARTNERS representatives whose access is necessary for their job descriptions. Access rights are revoked for employees whose roles change or who leave the organization.
c) Periodic and/or random internal audits are conducted. User account management and authorization control systems are implemented and monitored.
d) In the event that Personal Data is unlawfully obtained by others, the affected parties and the Board are notified as soon as possible.
e) GILDA&PARTNERS fulfills its obligation to inform Data Subjects before commencing the processing of Personal Data.
f) If third-party services are used or collaborations are established for the storage or processing of Personal Data, the contracts with such third parties include provisions ensuring the lawful storage, processing, and security of Personal Data. Awareness of data security is raised among service providers processing data, and the contracts include data security provisions.
g) Personal Data security policies and procedures are established. Protocols and procedures specifically for the security of special categories of Personal Data are also defined and implemented.
h) A Personal Data processing inventory has been prepared.
i) Necessary security measures are taken to regulate access to physical environments containing Personal Data.
Technical Measures:
GILDA&PARTNERS takes the following technical measures to ensure the security of Personal Data:
a) GILDA&PARTNERS establishes or ensures the establishment of the necessary technical infrastructure for the recording, transfer to third parties, deletion, destruction, anonymization, or other processing of Personal Data.
b) GILDA&PARTNERS takes necessary technical precautions to secure recorded Personal Data. These measures are updated in line with technological advancements and the standards determined by the Board or future legislation.
c) GILDA&PARTNERS restricts external access to its internal systems and implements security measures such as firewalls. Network security and application security are ensured, and up-to-date antivirus systems are utilized. Security measures related to the procurement, development, and maintenance of IT systems are applied.
d) GILDA&PARTNERS restricts access to Personal Data and the processing of Personal Data through the programs used, and strong passwords are employed in the electronic environments where Personal Data is processed.
e) Necessary security measures are taken to regulate entry and exit to physical environments containing Personal Data. Physical environments containing Personal Data are secured against external risks (e.g., fire, flood).
f) Personal Data is minimized to the extent possible.
g) Pursuant to Article 12 of KVKK, Personal Data stored in digital environments is protected through encryption methods that meet information security requirements.
h) Special categories of Personal Data, if transmitted via email, are sent encrypted and through KEP (Registered Email System) or corporate email accounts.
i) GILDA&PARTNERS obtains services from third parties when necessary for the technical measures taken.
j) Specific rows of data in databases are deleted using database commands (e.g., Delete). In all these processes, if the relevant user has the authority to restore deleted data, such authority is revoked.
k) Personal Data in physical (paper) environments is destroyed using paper shredders.
l) For destruction, if mere deletion from records is insufficient, additional measures are taken, such as breaking data into pieces too small to interpret, destroying copies of encryption keys, and de-magnetizing, physically deforming, or overwriting storage media to render data irretrievable. The appropriate destruction method is selected based on the types of systems and environments where the data is stored.
PROCEDURES FOR THE RETENTION AND DISPOSAL OF PERSONAL DATA BY GILDA&PARTNERS
RECORDING ENVIRONMENTS
Personal Data of data subjects is securely stored by GILDA&PARTNERS in accordance with applicable legislation and international data security principles. The storage methods vary depending on the type and characteristics of the Personal Data and include:
- Servers: Domain, backup, email, database, web servers.
- Software: Accounting programs, mobile applications.
- Personal Computers: Desktops, laptops.
- Mobile Devices: Phones, tablets.
- Optical Disks: CDs, DVDs.
- Removable Media: USB drives, memory cards.
- Paper Documents: Stored securely in locked cabinets at GILDA&PARTNERS.
All these environments are maintained securely and in compliance with the relevant legal regulations.
PERSONNEL
The titles, departments, and job descriptions of the personnel involved in the personal data retention and disposal process are as follows:
| Title | Department | Job Description |
| Founder | GILDA&PARTNERS’ Data Controller Representative and the authorized person responsible for implementing the Personal Data Retention and Disposal Policy. | Responsible for ensuring that employees act in compliance with the policy, ensuring processes under their responsibility adhere to retention periods, managing the personal data disposal process in accordance with the periodic disposal schedule, and preparing, developing, implementing, publishing, and updating the Policy in relevant environments. |
PERSONAL DATA DISPOSAL METHODS
Personal Data obtained by GILDA&PARTNERS in accordance with KVKK and other relevant legislation will be disposed of using the following techniques, either ex officio or upon the request of the Data Subject, when the purposes for processing Personal Data as specified in the Law and the Regulation cease to exist, in compliance with the provisions of the Law and related legislation.
a) Deletion and Destruction of Personal Data:
The procedures and principles regarding the deletion and destruction of Personal Data by GILDA&PARTNERS are as follows:
Deletion of Personal Data:
Secure Deletion from Software:
When data processed wholly or partially by automated means and stored in digital environments is deleted, methods are used to ensure that the data is rendered inaccessible and unusable for Relevant Users. Examples include:
- Deleting data on central servers using a delete command.
- Revoking access rights for files or directories on central servers.
- Deleting specific rows from databases using database commands.
- Deleting data on portable media (e.g., flash drives) using appropriate software.
If the deletion of Personal Data would result in the inaccessibility or unusability of other data within the system, Personal Data will be considered deleted if it is archived in a manner that ensures it cannot be associated with the Data Subject, provided the following conditions are met:
- The data is inaccessible to any other institution, organization, or person.
- All necessary technical and administrative measures are taken to ensure that only authorized individuals can access the Personal Data.
Obscuring Personal Data in Physical Environments: To prevent the unintended use of Personal Data or to delete requested data, methods such as physically removing the relevant data from documents or obscuring it using permanent ink that cannot be reversed or read using technological solutions are employed.
Destruction of Personal Data:
De-Magnetization: This method involves passing magnetic media through devices that expose it to high magnetic fields, rendering the data unreadable. If de-magnetization fails to successfully destroy the data, the destruction process will be completed by physically destroying the media.
Physical Destruction: Data stored on paper or microfilm is irretrievably destroyed using paper shredders.
b) Anonymization of Personal Data:
The anonymization of Personal Data refers to rendering Personal Data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data.
For Personal Data to be considered anonymized, it must be rendered unidentifiable through the use of appropriate techniques regarding the recording medium and the relevant area of activity, ensuring that it cannot be reversed or associated with an identified or identifiable natural person by the Data Controller or third parties, including by combining it with other data.
DATA CONTROLLER
GILDA&PARTNERS acts as the “Data Controller” in accordance with KVKK and related regulations. GILDA&PARTNERS can be contacted using the following information:
Address: Esentepe Mah. Büyükdere Cad. Levent 199 Building No:199/6 34394 Şişli/Istanbul
Phone: +90 212 403 9543
Email: info@gildaandpartners.com
UPDATE AND ENFORCEMENT OF THE POLICY
This Policy is maintained in a wet-signed (printed paper) format within GILDA&PARTNERS and is made available for access by Data Subjects upon request. This Policy is updated as needed and when necessary.
The Policy will be published publicly on GILDA&PARTNERS’ corporate website. Any changes to the Policy will be promptly reflected on the company website and made accessible to the public, including individuals whose data is processed by GILDA&PARTNERS. https://gildaandpartners.info/en/personal-data-retention-and-destruction-policy
The latest version of GILDA&PARTNERS’ Personal Data Retention and Disposal Policy can be accessed at .
ANNEX-1: RETENTION AND DISPOSAL PERIODS TABLE
The retention and disposal periods for data processed by GILDA&PARTNERS have been identified on a process basis in the Personal Data Processing Inventory.
| Process | Retention Period | Disposal Period |
| Conducting corporate communication activities with customers | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Receiving and processing customer requests and complaints | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Carrying out customer consultancy activities and signing contracts | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Conducting recruitment and placement processes | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Conducting billing transactions for customers | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Sending promotional emails and making calls to potential clients | 1 year | During the first periodic disposal period following the retention period |
| Participating in fairs, symposiums, panels, and congresses and conducting marketing activities | 1 year | During the first periodic disposal period following the retention period |
| Conducting customer visits | 1 year | During the first periodic disposal period following the retention period |
| Managing service procurement and supplier processes and performing payments and invoicing | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Making withholding tax payments | 10 years | During the first periodic disposal period following the retention period |
| Submitting VAT lists | 10 years | During the first periodic disposal period following the retention period |
| Conducting communication activities and business relationships with banks | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Establishing and managing IT infrastructure | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Collecting candidate resumes and applications through websites and online platforms | 1 year | During the first periodic disposal period following the retention period |
| Evaluating candidate applications to be submitted to customers within the scope of consultancy | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Matching customer requests and operations with suitable candidate resumes | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Conducting communication activities | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Conducting human resources processes | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Conducting business continuity activities | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Conducting promotion and marketing activities | 1 year | During the first periodic disposal period following the retention period |
| Conducting supplier management | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Conducting consultancy service procurement processes | 10 years from the termination of the commercial relationship | During the first periodic disposal period following the retention period |
| Conducting accounting processes | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Ensuring data security and conducting data storage activities | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Fulfilling obligations arising from legislation, including providing information to public authorities and institutions | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
| Following lawsuits, enforcement proceedings, administrative and criminal investigations, and prosecutions, and ensuring evidence in legal disputes | 10 years from the termination of the legal relationship | During the first periodic disposal period following the retention period |
