Personal Data Retention and Disposal Policy
SECTION 1: NATURE AND PURPOSE OF THE STORAGE AND DISPOSAL POLICY
This destruction policy is SDS-Solid Drilling Solutions, briefly (“SDS”), to determine the procedures and principles to be applied by SDS regarding the deletion, destruction or anonymization of personal data in accordance with the Law on the Protection of Personal Data No. 6698 and other legislation. was prepared for the purpose. In this context, the personal data of our employees, employee candidates, customers and all real persons who have personal data in SDS for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Disposal Policy.
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: Personnel of the Personal Data Protection Agency.
EBYS: Electronic Document Management System
Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.
Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law on Protection of Personal Data No. 6698.
Recording Media: Any environment where personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
Board: Personal Data Protection Board
Sensitive Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are no longer valid.
Policy: Personal Data Retention and Disposal Policy
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: The registration system in which personal data is processed and structured according to certain criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related procedures.
VERBIS: Data Controllers Registry Information System Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
CHAPTER 2 ENVIRONMENTS AND SAFETY PRECAUTIONS ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored within SDS are kept in a recording environment in accordance with the nature of the relevant data and our legal obligations. The recording media used for the storage of personal data are generally listed below. However, some data may be kept in a different environment than the ones shown here, due to their special qualities or our legal obligations. In any case, SDS acts as a data controller and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Storage and Disposal Policy.
- Servers (Domain, backup, email, database, web)
- Software (ERP Programs, Office Software)
- Personal Computers (Desktop, Laptop)
- Mobile Devices (Phone, Tablet)
- Removable Memory (USB, Memory Card etc.)
- Manual data recording systems
- Written and Printed Invoice
- SECURING ENVIRONMENTS
SDS takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is kept, in order to keep personal data safe and to prevent unlawful processing and access. These measures include, but are not limited to, the following administrative and technical measures to the extent that they comply with the nature of the personal data and the environment in which it is kept.
- Risks and threats that will affect the continuity of information systems are constantly monitored as a result of real-time analyzes with information security event management.
- Access to information systems and authorization of users are made through security policies through access and authorization matrix and corporate active directory.
- Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
- In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems preventing malware, etc.) measures are taken.
- Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken for these risks, and technical controls are carried out for the measures taken.
- The Institution takes the necessary measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users.
- Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
- Strong passwords are used in electronic environments where personal data is processed.
- Data backup programs are used to keep personal data safe.
- It is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) for accessing the institution’s web page.
- Information is provided on the prevention of illegal processing of personal data, the prevention of illegal access to personal data, the protection of personal data, communication techniques, technical knowledge and skills, Law No. 657 and other relevant legislation in order to improve the quality of employees.
- Confidentiality agreements are signed by the employees regarding the activities carried out by the Institution.
- Personal data processing inventory has been prepared.
SECTION 3: DISPOSAL OF PERSONAL DATA
REASONS FOR STORAGE AND DISPOSAL
REASONS FOR STORAGE
The data of the employees kept within the body of SDS are kept in order to fulfill the financial and personal rights of the employees.
Customer data, on the other hand, are kept within the scope of the contracts made with the customers, the processing of billing information, the issuance of checks, promissory notes and other commercial documents, and the ERP program used within SDS.
REASONS FOR DISPOSAL
Personal data within the body of SDS are deleted, destroyed or anonymized ex officio in accordance with this destruction policy, upon the request of the person concerned or if the reasons listed in Articles 5 and 6 of the Law are eliminated.
The reasons listed in Articles 5 and 6 of the Law consist of the following:
- Explicitly stipulated by law.
- It is compulsory for the protection of life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- The person concerned has been made public by himself.
- Data processing is mandatory for the establishment, exercise or protection of a right.
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
SDS automatically deletes, destroys or destroys the personal data it stores in accordance with the Law and other legislation and the Policy on the Processing and Protection of Personal Data, upon the request of the person concerned or within the periods specified in this Personal Data Retention and Destruction Policy, in the event that the reasons requiring the processing of the data disappear, or makes it anonymous.
The most commonly used deletion, destruction and anonymization techniques by SDS are listed below:
PERSONAL DATA IN PHYSICAL ENVIRONMENT
Of the personal data in the paper medium, the ones that need to be kept, whose period has expired, are irreversibly destroyed in the paper clipping machines.
PERSONAL DATA IN THE ELECTRONIC ENVIRONMENT
Among the personal data in the electronic environment, the ones whose period has expired are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.
|DATA OWNER||DATA CATEGORY||DATA STORAGE PERIOD|
|Worker||Recruitment documents to the Social Security Institution; Personnel data that is the basis for notifications regarding length of service and wages||It is retained for a period of 50 (fifty) years after the continuation of the service contract and from its end.|
|Worker||Recruitment documents to the Social Security Institution; Personnel data excluding the personnel data that is the basis for notifications regarding the length of service and wages||It is retained for a period of 10 (ten) years from the beginning of the calendar year following the service contract and the end of it.|
|Worker||Data in the Workplace Personal Health File||It is retained for a period of 30 (thirty) years from the end of the service contract.|
|Business Partner/Solution Partner/Consultant||Identity information, contact information, financial information about the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and SDS, voice recordings from phone calls, Business Partner/Solution Partner/Consultant employee||It is kept for 10 years in accordance with Turkish Code of Obligations art.146 and Turkish Commercial Code art.82 during and from the end of the business/commercial relationship of the Business Partner/Solution Partner/Consultant with SDS.|
|Visitor||Visitor’s name, surname, T.C.K.N.||It is stored for 2 years.|
|Website Visitor||Name, surname, e-mail address, navigational information of the Website Visitor||It is stored for 2 years.|
|Customer||Customer’s name, surname, T.C.K.N., contact information, payment information and methods, navigational movements, product/service preferences, transaction history, special day information||Each product/service purchased by the Customer is kept for 10 years pursuant to art.146 of the Turkish Code of Obligations and art.82 of the Turkish Commercial Code.|
|Customer||Camera images||It is stored for 1 month.|
|Potantial Customer||Identity information, contact information, financial information obtained during the contract negotiations on the establishment of a commercial relationship between the Potential Customer and SDS,||It is stored for 2 years.|
|Institutions/Companies SDS Collaborates With (Supplier, Contract Manufacturer, Dealer/Franchise)||Identity information, contact information, financial information, voice recordings from phone calls, data of SDS Collaborating Institution/Company employee regarding the execution of the commercial relationship between SDS and SDS Collaborating Institutions/Companies||It is kept for 10 years in accordance with Turkish Code of Obligations art.146 and Turkish Commercial Code art.82 from the end of the business/commercial relationship of the Institutions/Companies with which SDS is in cooperation with SDS.|
If it is arranged for a longer period in accordance with the legislation, or in accordance with the legislation, the statute of limitations, foreclosure period, retention periods, etc. If a longer period is foreseen for the storage period, the periods in the provisions of the legislation are considered as the maximum storage period.
DISPOSAL TIMES In the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize the personal data it is responsible for arises in accordance with the Law, the relevant legislation, the Policy on the Processing and Protection of Personal Data and this Personal Data Retention and Disposal Policy, it deletes the personal data, make it anonymous. When the person concerned requests the deletion or destruction of his/her personal data by applying to SDS pursuant to Article 13 of the Law; If all the conditions for processing personal data have disappeared; SDS deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for SDS to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, SDS informs the person concerned about the transaction. If all the conditions for processing personal data have not disappeared, this request may be rejected by SDS by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.
In the event that all the conditions for the processing of personal data in the law are eliminated; SDS deletes, destroys or anonymizes the personal data whose processing conditions have been eliminated, through a process to be carried out ex officio at repetitive intervals and specified in this Personal Data Retention and Disposal Policy. Periodic destruction processes start for the first time on 30.06.2018 and repeat every 6 (six) months.
CHAPTER 4 PERSONAL DATA COMMITTEE
Establishes a Personal Data Committee within SDS. The Personal Data Committee is authorized and in charge of taking the necessary actions and supervising the processes for the storage and processing of the data of the persons concerned in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy. The Personal Data Committee consists of three people, a manager, an administrative expert and a technical expert.
CHAPTER 5 UPDATE AND COMPLIANCE SDS reserves the right to make changes in the Processing and Protection of Personal Data Policy or this Personal Data Retention and Disposal Policy in line with the changes made in the Law, in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics. Changes made in this Personal Data Retention and Disposal Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the policy.
CHAPTER 6. IMPLEMENTATION AND REVOCATION OF THE POLICY
The policy is deemed to have entered into force after it is published on the Institution’s website. In the event that it is decided to be repealed, old copies of the Policy with wet signatures are canceled by the Board Decision (with an annulment stamp or an annulment) signed and kept by the Committee for at least 5 years.