This Personal Data Retention and Destruction Policy ("Policy") has been prepared by the data controller AÇI GRUP İÇECEK GIDA LOJİSTİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ and AÇI TÜTÜN VE GIDA LOJİSTİK TİCARET SANAYİ A.Ş. in order to fulfill our obligations in accordance with the Law No. 6698 on the Protection of Personal Data ("Law") and the secondary regulation of the Law, namely the Regulation on Deletion, Destruction, or Anonymization of Personal Data ("Regulation"), and to inform data subjects about the principles for determining the maximum storage period necessary for the purposes for which personal data are processed, as well as the processes of deletion, destruction, and anonymization.
Definitions
Explicit Consent: Informed, specific, and freely given consent on a particular matter.
Concerned User: Data processors are individuals or entities within the data controller organization, excluding those responsible for the technical storage, protection, and backup of data, who process personal data in accordance with the authority and instructions received from the data controller.
Destruction: Deletion, destruction, or anonymization of personal data.
Record Medium: Any medium containing personal data that is processed either entirely or partly by automatic means or forms part of a filing system, regardless of whether it is automated.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Processing of personal data refers to any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
Anonimizing Personal Data: Rendering Personal Data Anonymous.
Deletion of Personal Data: Deletion of personal data involves making personal data inaccessible and unusable for related users.
Destruction of Personal Data: Irretrievable and Unrecoverable Erasure of Personal Data.
Board: The Personal Data Protection Board.
Periodic Destruction: In the event that all the processing conditions of personal data specified in the Law cease to exist, the deletion, destruction, or anonymization process specified in the personal data retention and disposal policy will be carried out resolutely at recurring intervals.
Data Subject/Concerned Person: The individual whose personal data is being processed.
Principles
The company operates within the framework of the principles outlined below for the storage and destruction of personal data:
- Requests are responded to within 30 (thirty) days at the latest,
- If the data subject's data has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred, and necessary actions are ensured to be taken by the third parties.
Explanations Regarding Reasons Requiring Storage and Destruction
Personal data belonging to data owners are stored by the Company within the limits specified in the Law and other relevant legislation, especially for (i) the sustainability of commercial activities, (ii) the fulfillment of legal obligations, (iii) planning and execution of employee rights and benefits within the framework specified in the Law and other relevant legislation.
The reasons requiring storage are as follows:
In accordance with the Regulation, personal data belonging to data subjects are deleted, destroyed, or anonymized by the Company upon request or ex officio in the following cases:
Storage and Destruction Periods
In determining the storage and destruction periods of your personal data obtained by the Company in accordance with the Law and other relevant legislation, the following criteria are utilized:
- Personal data is classified as personal data and special categories of personal data based on the definition in Article 6 of the Law. All personal data determined to be special in nature is destroyed. The method to be applied in the destruction of this data is determined based on the nature of the data and the importance of its storage to the Company.
- Compliance of the storage of the data with the principles specified in Article 4 of the Law is assessed, for example, whether the Company has a legitimate purpose for the storage of the data is questioned. Data found to be contrary to the principles specified in Article 4 of the Law is deleted, destroyed, or anonymized.
- It is determined which of the exceptions specified in Articles 5 and 6 of the Law the storage of the data can be evaluated within. Reasonable periods for the storage of data are determined within the framework of the identified exceptions. After the expiration of these periods, the data is deleted, destroyed, or anonymized.
You can access the storage, destruction, and periodic destruction periods determined by the Company from the annex of this Policy. Personal data whose storage period has expired is anonymized or destroyed in accordance with the procedures specified in this Policy at intervals of 6 (six) months. All processes related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least 3 (three) years, except for other legal obligations
Methods, Technical, and Administrative Measures for the Storage and Destruction of Personal Data
In accordance with the principles in Article 12 of the Law, all administrative and technical measures taken by the Company to securely store your personal data, prevent its unlawful processing, prevent access to it, and lawfully destroy the data are listed below:
Administrative Measures:
Under administrative measures, the Company;
Technical Measures:
Under technical measures, the Company;
Özel nitelikli kişisel verilerin aktarıldığı durumlarda;
- If data transfer via email is necessary, ensures that it is encrypted using the corporate email address or KEP account,
- If data needs to be transferred via portable storage, CD, DVD, etc., ensures encryption using cryptographic methods,
- If transfer occurs between servers in different physical locations, ensures transfer between servers via VPN or sFTP methods,
- If data needs to be transferred in paper format, ensures that documents are sent in a "confidential documents" format.
Duties and Powers of the Personal Data Protection Committee
The Personal Data Protection Committee is responsible for informing relevant business units about the Policy and ensuring its compliance. The Committee monitors and notifies relevant business units about legislative changes regarding the protection of personal data, regulatory actions and decisions of the Board, court decisions, or changes in processes, applications, and systems, and ensures necessary announcements and notifications for updating business processes if necessary. It also establishes and communicates processes for reviewing, evaluating, tracking, and concluding the Law and secondary regulations, decisions, and regulations of the Board, court decisions, and/or requests of other competent authorities.
Implementation of the Policy, Breach Situations, and Sanctions
Appendix 1: Personnel Title, Unit, and Duty List
Appendix 2: Table Showing Personal Data Storage and Destruction Periods
Personal data will be stored for the periods specified in the table below, considering the provisions of Article 4 of the policy, and will be anonymized or destroyed at the end of the period:
Process | Retention Period | Destruction Period |
---|---|---|
Data retained under the Labor Law (e.g., performance records, etc.) | 5 years following the termination of the employment relationship | Within 180 days after the end of the retention period |
Data collected under occupational health and safety legislation (health reports, etc.) | 15 years following the termination of the employment relationship | Within 180 days after the end of the retention period |
Data kept under Social Security Institution (SGK) legislation | 10 years following the termination of the employment relationship | Within 180 days after the end of the retention period |
Documents that may be used in a request/lawsuit related to work accidents/occupational diseases | 10 years following the termination of the employment relationship | Within 180 days after the end of the retention period |
Data collected under other relevant legislation | As long as prescribed by the relevant legislation | Within 180 days after the end of the retention period |
Personal data subject to the Turkish Penal Code or other legislation imposing criminal penalties | During the statute of limitations for prosecution | Within 180 days after the end of the retention period |
Customer data | 10 years following recording | Within 180 days after the end of the retention period |
If the purpose of using the relevant personal data ceases, and if the retention period prescribed by the relevant legislation for the respective personal data exceeds the periods indicated in the table above, or if the statute of limitations for the related subject matter requires the personal data to be retained for longer than the periods indicated in the table, the periods indicated in the table may not be applicable. In this case, whichever of the purpose of use, special legislation, or statute of limitations expires later will apply.