Personal Data Retention and Destruction Policy

 

1. PURPOSE OF POLICY

The purpose of this Policy is to determine the rules, roles and responsibilities applicable throughout Gilda&Partners for the fulfilment of the obligations on the retention and destruction of personal data as required by Articles 5 and 6 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, issued based on the Law No. 6698 on the Protection of Personal Data (the ''Law'') and published on the Official Gazette No. 30224, dated 28.10.2017, (the ''Regulation'') and other obligations specified in the Regulation.

 

2. SCOPE OF POLICY

This Policy covers personal data and special categories of personal data, as defined by Law, retained by Gilda&Partners, all Gilda&Partners employees, managers, consultants and external service providers, and natural and legal persons with whom Gilda&Partners enters into other types of legal relationships. The Policy covers personal data, as defined in the Law, contained in systems where data are processed through means that are fully or partially automated or that are non-automated, subject to being part of any data recording system. Personal data and special categories of personal data shall together be referred to as the ''Personal Data'' in this Policy, unless otherwise stated.

 

3. DEFINITIONS

''Anonymization'' refers to rendering personal data impossible to associate with a specific or identifiable natural person, even if it is paired with other data.

 

''Destruction'' refers to the deletion, disposal or anonymization of personal data.

 

''Personal Data'' refers to any information relating to an identified or identifiable real person.

 

''Personal Data Retention Table'' refers to the table showing how long personal data will be kept by Gilda&Partners.

 

''Personal Data Processing Inventory'' refers to the inventory through which data controllers explain and detail the personal data processing activities they carry out depending on their business processes, the purposes of processing personal data, data categories, the maximum times periods they have established by associating with transferred group of recipients and data subject group of people and necessary for the purposes for which personal data are processed, personal data required to be transferred abroad and measures taken in relation to data security.

 

''Deletion of Personal Data'' refers to the process of making personal data inaccessible and unavailable for the users concerned.

 

''Destruction of Personal Data'' refers to the process of making personal data inaccessible, non-retrievable and re-useable by any person in any way.

 

''Special Categories of Personal Data'' refers to data on a person's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, health, criminal conviction and security measures and biometric and genetic data of such person.

 

''Periodic Destruction'' refers to the process of deleting, destroying or anonymizing, specified in the personal data retention and destruction policy, which will be carried out ex officio at certain intervals in the event that the conditions for processing personal data, as defined in the Law, completely disappear.

 

''Data Recording System'' refers to the recording system in which personal data is configured and processed by certain criteria.

 

4. RECORDING MEDIA UNDER THIS POLICY

Any kind of media containing personal data processed through means that are fully or partially automated or that are non-automated, subject to being part of any data recording system are covered by this Policy.

 

5. ACTIONS TO BE TAKEN IN THE EVENT OF DISAPPEARANCE OF REQUIREMENTS FOR PROCESSING PERSONAL DATA

5.1. In the event that the purpose for the processing of personal data disappears, the express consent has been withdrawn or the conditions of processing of personal data in Articles 5 and 6 disappear or in the event that there is a situation in which none of the exceptions in the said Articles can be applied, personal data for which the conditions of processing disappear shall be deleted, destructed or anonymized by the relevant business unit by taking into account the relevant business needs and explaining the justification of the method applied within the scope of Articles 7, 8, 9 or 10 of the Regulation. However, in case of a finalized court order, the destruction method ruled by the court order must be applied.

 

5.2. All users and data subjects who process or store personal data shall review whether or not the conditions for processing by Gilda & Partners have disappeared in the data recording media they use, at the latest within six months. Upon the application of the personal data subject or the notification of the Board or a competent court, the relevant user shall undertake this review in the data recording media he/she uses, irrespective of the period of periodic review.

 

5.3. When it is determined as a result of periodic reviews or at any time that the conditions for processing of data have disappeared, the relevant user or data subject shall decide to delete, destruct or anonymize the relevant personal data from the recording media under his/her responsibility in accordance with this Policy.

 

5.4. All actions taken relating to the deletion, destruction or anonymization of personal data shall be recorded, and such records shall be kept for at least three (3) years, with the exception of other legal obligations.

 

5.5. The general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the relevant legislative provisions, the decisions of the Board and the court decisions must be complied with when deleting, destructing or anonymizing personal data.

 

5.6. When a natural person who owns a personal data applies to Gilda & Partners and requests the deletion, destruction or anonymization of personal data under Article 13 of the Law, it shall be immediately examined whether all the conditions for processing the said personal data have disappeared. If all the conditions for processing have disappeared, Gilda&Partners shall delete, destruct or anonymize the personal data. In this case, the request shall be concluded no later than thirty days after the application date and the person concerned shall be informed thereof. If all the conditions for processing have disappeared and the personal data, subject matter of the request, have been transferred to third-parties, Gilda&Partners shall immediately notify the third-person to whom the personal data has been transferred and shall ensure that the necessary actions are taken by the third-person in accordance with the Regulation.

 

5.7. In cases where all the conditions for processing personal data have not disappeared, requests by personal data subjects for deletion or destruction of their data may be rejected by Gilda&Partners in accordance with the paragraph 3 of Article 13 of the Law. The rejection shall be notified to the person concerned within 30 days in writing or electronically.

 

5.8. Requests for the deletion or destruction of personal data shall be assessed only if the person concerned has been identified. For requests to be filed through channels other than those channels, the persons concerned shall be directed to the channels where identification or verification can be made.

 

6. ENFORCEMENT OF THE POLICY, BREACHES AND SANCTIONS

6.1. This Policy shall enter into force upon its publication on the website of Gilda&Partners and shall be binding upon all Gilda&Partners shareholders, employees, consultants, external service providers and all those who process personal data for Gilda&Partners.

 

6.2. Gilda&Partners shall continuously monitor whether their employees fulfil the requirements of the Policy and shall inform the Committee for the Protection of Personal Data without undue delay should there is a severe and significant breach.

 

6.3. The necessary administrative action shall be taken against the employee who violates the Policy.

 

7. PERSONS WHO WILL BE INVOLVED IN THE DATA RETENTION AND DESTRUCTION PROCESSES OF PERSONAL, AND RESPONSIBILITIES OF THESE PERSONS

Gilda&Partners and all its employees, consultants, external service providers and any other person who stores and processes personal data for Gilda & Partners shall be responsible for fulfilling the requirements for the destruction of personal data specified in the Law, the Regulation, and the Policy.

 

8. RETENTION AND DESTRUCTION PERIODS FOR PERSONAL DATA

The Table showing the Retention and Destruction Periods of Personal Data is given in Annex-1. These retention and destruction periods shall be taken into consideration for periodic destructions or on-demand destructions.

 

9. METHODS APPLICABLE TO DESTRUCTION OF PERSONAL DATA

Gilda&Partners shall delete, destruct and/or anonymize the personal data retained by it using the methods described below.

 

a) Application-type cloud solutions as a service (Office 365, etc.)

 

Gilda&Partners shall delete the personal data in its cloud system by giving the delete command. When performing this process, it shall pay particular attention to the fact that the relevant user is not authorized to bring back the data deleted on the cloud system.

 

b) Personal data in paper form

 

Gilda&Partners shall delete the personal data in paper form by using blanking method. The blanking process shall be done by cutting off the personal data on the relevant document if possible and, if not possible, rendering the personal data invisible to users by using fixed ink in such a way that they cannot be retrieved and cannot be read by technological solutions. Personal data in paper form can also be destructed through a shredder.

 

c) Office files in the central server

 

The file must be deleted using the delete command in the operating system, or the user's access rights on the file or directory where the file is located must be revoked. When performing this process, Gilda&Partners shall pay attention that the user concerned is not a system administrator at the same time.

 

d) Personal data in portable media

 

Gilda&Partners shall store personal data in flash-based storage media in encrypted form and delete them using appropriate software.

 

e) Databases

 

Gilda&Partners shall delete the relevant lines of the personal data using database commands (DELETE, etc.). When performing this process, Gilda&Partners shall pay attention that the user concerned is not a database administrator at the same time.

 

10. PERIODIC DESTRUCTION PERIODS

In the event that the conditions for processing of personal data have completely disappeared (including the condition for storage of personal data has been expired) and the obligation to destruct personal data has arisen, the personal data shall be deleted, destructed or anonymized during the first periodic destruction following the date of the occurrence of this obligation. The periodic destruction shall take place in 6-month periods, being January and June of each year.

 

The process of deletion, destruction or anonymization shall be carried out during the first periodic destruction following the date of the occurrence of this obligation.

 

Where the person concerned applies to our Company and requests the deletion or destruction of his/her own personal data, this request shall be fulfilled within thirty days at the latest if the conditions for processing of his/her personal data have completely disappeared.

 

11. ENFORCEMENT

This Policy shall enter into force as of the date of publication.

 

Annex-1 Table for Retention and Destruction Periods of Personal Data

Personal data shall be retained for the periods specified in the following table taking into account the considerations specified in Article 6 of the Policy and shall be destroyed at the end of this period, unless there is a final court order or interlocutory injunction awarded contrary.