Bayi

Personal Data Storage and Destruction Policy

This Personal Data Retention and Destruction Policy ("Policy") has been prepared by the data controller AÇI GRUP İÇECEK GIDA LOJİSTİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ and AÇI TÜTÜN VE GIDA LOJİSTİK TİCARET SANAYİ A.Ş. in order to fulfill our obligations in accordance with the Law No. 6698 on the Protection of Personal Data ("Law") and the secondary regulation of the Law, namely the Regulation on Deletion, Destruction, or Anonymization of Personal Data ("Regulation"), and to inform data subjects about the principles for determining the maximum storage period necessary for the purposes for which personal data are processed, as well as the processes of deletion, destruction, and anonymization.

Definitions

Explicit Consent: Informed, specific, and freely given consent on a particular matter.

Concerned User: Data processors are individuals or entities within the data controller organization, excluding those responsible for the technical storage, protection, and backup of data, who process personal data in accordance with the authority and instructions received from the data controller.

Destruction: Deletion, destruction, or anonymization of personal data.

Record Medium: Any medium containing personal data that is processed either entirely or partly by automatic means or forms part of a filing system, regardless of whether it is automated.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Processing of personal data refers to any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.

Anonimizing Personal Data: Rendering Personal Data Anonymous.

Deletion of Personal Data: Deletion of personal data involves making personal data inaccessible and unusable for related users.

Destruction of Personal Data: Irretrievable and Unrecoverable Erasure of Personal Data.

Board: The Personal Data Protection Board.

Periodic Destruction: In the event that all the processing conditions of personal data specified in the Law cease to exist, the deletion, destruction, or anonymization process specified in the personal data retention and disposal policy will be carried out resolutely at recurring intervals.

Data Subject/Concerned Person: The individual whose personal data is being processed.

Principles

The company operates within the framework of the principles outlined below for the storage and destruction of personal data:

  • Personal data is completely processed in accordance with the Law, relevant legislation provisions, Board decisions, and this Policy in terms of deletion, destruction, and anonymization.

  • All operations related to the deletion, destruction, and anonymization of personal data are recorded by the Company, and these records are kept for at least 3 (three) years, except for other legal obligations.

  • Unless a decision to the contrary is taken by the Board, the appropriate method for resen deletion, destruction, or anonymization of personal data is selected by us. However, in case of a request from the Data Subject, the appropriate method will be selected with an explanation of the rationale.

  • If all the conditions for the processing of personal data specified in Articles 5 and 6 of the Law cease to exist, personal data is resen or upon request of the data subject, deleted, destroyed, or anonymized by the Company. In this regard, if the Data Subject applies to the Company;

  • - Requests are responded to within 30 (thirty) days at the latest,

    - If the data subject's data has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred, and necessary actions are ensured to be taken by the third parties.

    Explanations Regarding Reasons Requiring Storage and Destruction

    Personal data belonging to data owners are stored by the Company within the limits specified in the Law and other relevant legislation, especially for (i) the sustainability of commercial activities, (ii) the fulfillment of legal obligations, (iii) planning and execution of employee rights and benefits within the framework specified in the Law and other relevant legislation.

    The reasons requiring storage are as follows:

  • Storage due to being directly related to the establishment and performance of contracts,

  • Storage for the establishment, use, or protection of a right,

  • Obligation to store for the legitimate interests of the Company provided that it does not harm the fundamental rights and freedoms of individuals,

  • Storage for the fulfillment of any legal obligations of the Company,

  • Explicit provision in the legislation regarding the storage of personal data,

  • Existence of explicit consent of data subjects for storage activities requiring explicit consent.

  • In accordance with the Regulation, personal data belonging to data subjects are deleted, destroyed, or anonymized by the Company upon request or ex officio in the following cases:

  • Necessity arising from the change or abolition of the relevant legislation provisions that form the basis for the processing or storage of personal data,

  • Disappearance of the purpose requiring the processing or storage of personal data,

  • Disappearance of the conditions requiring the processing of personal data specified in Articles 5 and 6 of the Law,

  • Withdrawal of consent by the relevant person in cases where processing of personal data is solely based on explicit consent,

  • Acceptance by the data controller of the application made by the data subject for the deletion, destruction, or anonymization of personal data within the framework of the rights specified in Article 11 of the Law,

  • In case the data controller rejects the application made by the data subject for the deletion, destruction, or anonymization of personal data, finds the response insufficient, or does not respond within the period specified in the Law; lodging a complaint with the Board and the approval of this request by the Board,

  • Although the maximum period requiring storage of personal data has elapsed, absence of any condition justifying the storage of personal data for a longer period.


  • Storage and Destruction Periods

    In determining the storage and destruction periods of your personal data obtained by the Company in accordance with the Law and other relevant legislation, the following criteria are utilized:

  • If a period is specified in the legislation for the storage of the personal data in question, compliance is ensured with this period. After the expiration of said period, the process outlined in the following article is carried out regarding the data.

  • In case the period specified in the legislation for the storage of the personal data in question expires or if there is no period specified in the relevant legislation for the storage of the data, the following steps are followed respectively;

  • - Personal data is classified as personal data and special categories of personal data based on the definition in Article 6 of the Law. All personal data determined to be special in nature is destroyed. The method to be applied in the destruction of this data is determined based on the nature of the data and the importance of its storage to the Company.

    - Compliance of the storage of the data with the principles specified in Article 4 of the Law is assessed, for example, whether the Company has a legitimate purpose for the storage of the data is questioned. Data found to be contrary to the principles specified in Article 4 of the Law is deleted, destroyed, or anonymized.

    - It is determined which of the exceptions specified in Articles 5 and 6 of the Law the storage of the data can be evaluated within. Reasonable periods for the storage of data are determined within the framework of the identified exceptions. After the expiration of these periods, the data is deleted, destroyed, or anonymized.

    You can access the storage, destruction, and periodic destruction periods determined by the Company from the annex of this Policy. Personal data whose storage period has expired is anonymized or destroyed in accordance with the procedures specified in this Policy at intervals of 6 (six) months. All processes related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least 3 (three) years, except for other legal obligations

    Methods, Technical, and Administrative Measures for the Storage and Destruction of Personal Data

    In accordance with the principles in Article 12 of the Law, all administrative and technical measures taken by the Company to securely store your personal data, prevent its unlawful processing, prevent access to it, and lawfully destroy the data are listed below:

    Administrative Measures:

    Under administrative measures, the Company;

  • Limits access to stored personal data to personnel who need access according to their job descriptions. In restricting access, consideration is given to whether the data is of a special nature and its importance.

  • In case personal data processed is obtained by others through unlawful means, notifies the relevant party and the Board as soon as possible.

  • Ensures data security by signing framework contracts or adding clauses regarding data protection and data security to existing contracts with individuals with whom personal data is shared.

  • Employs knowledgeable and experienced personnel regarding the processing of personal data and provides necessary training to its personnel on legislation for the protection of personal data and data security.

  • Conducts necessary audits to ensure the implementation of Law provisions within its legal personality and resolves any privacy and security vulnerabilities identified during audits.

  • Ensures that adequate security measures (against electricity leakage, fire, water flooding, theft, etc.) are taken according to the environment where personal data is located and prevents unauthorized access to these environments.


  • Technical Measures:

    Under technical measures, the Company;
  • Conducts necessary internal controls within established systems.

  • Carries out information technology risk assessment and business impact analysis processes within established systems.

  • Ensures the provision of technical infrastructure to prevent or observe the leakage of data outside the institution and the creation of relevant matrices.

  • Ensures the control of system vulnerabilities by regularly conducting penetration testing services when necessary.

  • Ensures control over access permissions of personnel working in information technology departments to personal data.

  • Ensures the destruction of personal data in a manner that cannot be recovered and leaves no trace.

  • Encrypts all digital media where personal data is stored according to the requirements of information security, using encryption or cryptographic methods, in accordance with Article 12 of the Law.

  • Ensures secure logging of all movements related to special category personal data.

  • Continuously monitors security updates for environments where data is located and regularly conducts necessary security tests.

  • Ensures regular security testing of software accessing special category personal data.

  • Provides a two-factor authentication system for remote access to special category personal data. When transferring special category personal data:

  • Özel nitelikli kişisel verilerin aktarıldığı durumlarda;

    - If data transfer via email is necessary, ensures that it is encrypted using the corporate email address or KEP account,
    - If data needs to be transferred via portable storage, CD, DVD, etc., ensures encryption using cryptographic methods,
    - If transfer occurs between servers in different physical locations, ensures transfer between servers via VPN or sFTP methods,
    - If data needs to be transferred in paper format, ensures that documents are sent in a "confidential documents" format.

    Duties and Powers of the Personal Data Protection Committee

    The Personal Data Protection Committee is responsible for informing relevant business units about the Policy and ensuring its compliance. The Committee monitors and notifies relevant business units about legislative changes regarding the protection of personal data, regulatory actions and decisions of the Board, court decisions, or changes in processes, applications, and systems, and ensures necessary announcements and notifications for updating business processes if necessary. It also establishes and communicates processes for reviewing, evaluating, tracking, and concluding the Law and secondary regulations, decisions, and regulations of the Board, court decisions, and/or requests of other competent authorities.

    Implementation of the Policy, Breach Situations, and Sanctions

  • This Policy will be effective upon being announced to all employees and will be binding for all business units, consultants, external service providers, and anyone processing personal data.

  • Monitoring whether employees comply with the policy will be the responsibility of their respective superiors. When non-compliance with the Policy is identified, the matter will be immediately reported to the immediate superior of the relevant employee.

  • In case of significant non-compliance, the upper management will promptly inform the Personal Data Protection Committee.

  • After an evaluation by Human Resources, necessary administrative action will be taken against employees who violate the Policy.

  • Appendix 1: Personnel Title, Unit, and Duty List
    Appendix 2: Table Showing Personal Data Storage and Destruction Periods

    Personal data will be stored for the periods specified in the table below, considering the provisions of Article 4 of the policy, and will be anonymized or destroyed at the end of the period:

    Process Retention Period Destruction Period
    Data retained under the Labor Law (e.g., performance records, etc.) 5 years following the termination of the employment relationship Within 180 days after the end of the retention period
    Data collected under occupational health and safety legislation (health reports, etc.) 15 years following the termination of the employment relationship Within 180 days after the end of the retention period
    Data kept under Social Security Institution (SGK) legislation 10 years following the termination of the employment relationship Within 180 days after the end of the retention period
    Documents that may be used in a request/lawsuit related to work accidents/occupational diseases 10 years following the termination of the employment relationship Within 180 days after the end of the retention period
    Data collected under other relevant legislation As long as prescribed by the relevant legislation Within 180 days after the end of the retention period
    Personal data subject to the Turkish Penal Code or other legislation imposing criminal penalties During the statute of limitations for prosecution Within 180 days after the end of the retention period
    Customer data 10 years following recording Within 180 days after the end of the retention period

    If the purpose of using the relevant personal data ceases, and if the retention period prescribed by the relevant legislation for the respective personal data exceeds the periods indicated in the table above, or if the statute of limitations for the related subject matter requires the personal data to be retained for longer than the periods indicated in the table, the periods indicated in the table may not be applicable. In this case, whichever of the purpose of use, special legislation, or statute of limitations expires later will apply.

    Top