Disposal Policy
This Personal Data Retention and Destruction Policy ("Policy") is intended to fulfil our obligations pursuant to the Law No. 6698 on the Protection of Personal Data ("Law") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation"), which constitutes the secondary regulation of the Law, and to protect data owners from deletion and destruction of personal data with the principles of determining the maximum retention period required for the purpose for which your personal data are processed, It has been prepared by Be One Mobile Online Sales Marketing Food Cosmetics Production Trade and Industry Inc. ("Company") as the data controller in order to inform about the destruction and anonymization processes.
Definitions
Explicit Consent: Consent on a specific subject, based on information and expressed with freewill.
Relevant User: Person who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: The erasure, destruction or anonymization of personal data.
Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural entity.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automated or non-automated means provided that it is part of any data recording system.
Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural entity under any circumstances, even by matching with other data.
Deletion of Personal Data: Deleting personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.
Data Owner/Related Person: The natural entity whose personal data is processed.
Principles
The Company acts within the framework of the following principles in the storage and destruction of personal data:
- All transactions regarding the erasure, destruction and anonymization of personal data are recorded by the Company and such records are kept for at least 3 (three) years, excluding other legal obligations.
- In the event that all of the conditions for the processing of personal data specified in Articles 5 and 6 of the Law disappear, personal data are deleted, destroyed or anonymized by the Company ex officio or upon the request of the data subject. In case the Relevant Person applies to the Company in this regard;
- The requests are answered within 30 (thirty) days at the latest,
- In case the data subject to the request are transferred to third parties, this situation is notified to the third party to whom the data are transferred and necessary actions are taken before the third parties.
Explanations on the Reasons for Retention and Destruction
Personal data belonging to data subjects are stored by the Company within the limits specified in the Law and other relevant legislation, especially for the continuation of commercial activities, fulfilment of legal obligations, planning and performance of employee rights and fringe benefits.
The reasons requiring retention are as follows:
- Storing personal data as it is directly related to the establishment and performance of contracts,
- Storing personal data for the purpose of establishing, exercising or protecting a right,
- It is obligatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
- Storage of personal data in order for the Company to fulfil any legal obligation,
- The legislation clearly stipulates the storage of personal data,
- Explicit consent of data subjects in terms of storage activities that require the explicit consent of data subjects.
Pursuant to the Regulation, in the following cases, personal data belonging to data subjects shall be deleted, destroyed or anonymized by the Company ex officio or upon request:
In the event that it is necessary due to the amendment or abrogation of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data, The disappearance of the purpose requiring the processing or storage of personal data, The disappearance of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law, In cases where personal data processing is carried out only on the basis of explicit consent, the relevant person's withdrawal of consent,
The application made by the data subject for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights under Article 11 of the Law is accepted by the data controller, Although the maximum period requiring the storage of personal data has expired, there is no condition that justifies storing personal data for a longer period of time.
Storage and Destruction Periods
In determining the retention and destruction periods of your personal data obtained by the Company in accordance with the provisions of the Law and other relevant legislation, the criteria specified below are used respectively:
- If a period of time is prescribed in the legislation regarding the storage of the personal data in question, this period shall be observed. Following the expiry of the aforementioned period, the data shall be processed within the framework of the following article.
- In the event that the period prescribed in the legislation regarding the storage of the personal data in question expires or if no period is stipulated in the relevant legislation regarding the storage of the data in question, respectively;
- Personal data shall be classified as personal data and personal data of special quality based on the definition in Article 6 of the Law. All personal data determined to be of special quality shall be destroyed. The method to be applied in the destruction of the data in question is determined according to the quality of the data and the importance of its storage before the Company.
- The compliance of the storage of the data with the principles specified in Article 4 of the Law, for example; It is questioned whether the Company has a legitimate purpose in storing the data. Data that is found to be in violation of the principles set out in Article 4 of the Law shall be deleted, destructed or anonymized.
- It is determined within the framework of which of the exceptions stipulated in Articles 5 and 6 of the Law the storage of the data can be evaluated. Within the framework of the determined exceptions, reasonable periods of time for data retention are determined. At the expiry of such periods, the data shall be deleted, destroyed or anonymized.
In 6 (six) month periods, it is anonymized or destructed in accordance with the procedures set out in this Policy. All transactions regarding the erasure, destruction and anonymization of personal data are recorded and such records are kept for at least 3 (three) years, excluding other legal obligations.
Procedures, Technical and Administrative Precautions Regarding the Storage and Destruction of Personal Data
The personal data to be collected in the event that your personal data needs to be processed in order for our Company to fulfil its obligations to be fulfilled within the scope of employment, data processing is mandatory for the establishment of a right, you can benefit from customer services, consumer rights and other opportunities and / or to fulfil commercial financial legal responsibilities and obligations related to them, to ensure the security of our Company or for the legitimate purposes of our Company. In addition, all data stored as digital copies are saved on the Company's server.
All administrative and technical measures taken by the Company within the framework of the principles in Article 12 of the Law in order to store your personal data securely, to prevent unlawful processing, access and to destroy the data in accordance with the law are listed below:
Administrative Precautions:
The company is under administrative precautions;
- The company limits in-house access to stored personal data to the personnel who need to access it as per their job description. In limiting access, whether the data is of special quality and the degree of importance are also taken into consideration.
- Regarding the sharing of personal data, it signs a framework agreement on the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with the provisions added to the existing agreement.
- It employs personnel who are knowledgeable and experienced in the processing of personal data and provides the necessary training to its personnel within the framework of personal data protection legislation and data security.
- It carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law within its legal entity. It eliminates the confidentiality and security weaknesses that arise as a result of the inspections.
- Ensures that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the environment where personal data is located and prevents unauthorized entry and exit to these areas.
Technical Precautions:
The company is within the content of technical precautions;
- Performs the necessary internal controls within the framework of the established systems.
- Carries out the processes of information technologies risk assessment and business impact analysis within the framework of the established systems.
- Ensures that the technical infrastructure to prevent or monitor the leakage of data outside the organization is provided and the relevant matrices are created.
- Ensures the control of system vulnerabilities by obtaining penetration testing services regularly and when the need arises.
- Ensures that the access authorizations of employees working in information technology units to personal data are kept under control.
- Ensures that personal data is destroyed in such a way that it cannot be converted into new data and leaves no trace of inspection.
- Pursuant to Article 12 of the Law, it protects all kinds of digital media where personal data is stored with encrypted or cryptographic methods to ensure information security requirements.
- It ensures that the transaction records of all movements on special categories of personal data are logged securely.
- It ensures that the necessary security tests are carried out regularly by constantly following the security updates of the environments where the data are stored.
- In cases where sensitive personal data is accessed through a software, it ensures that the security tests of this software are regularly performed by making user authorizations for this software.
- In cases where remote access to sensitive personal data is required, it provides at least two-stage authentication system.
- In cases where special categories of personal data are transferred;
- This Policy will enter into force by announcing it to all employees and will be binding for all business units, consultants, external service providers and anyone who processes personal data.
- It will be the responsibility of the supervisors of the relevant employees to monitor whether the employees fulfil the requirements of the policy. In case any behavior contrary to the policy is detected, the matter shall be immediately reported to the immediate superior by the supervisor of the relevant employee.
- Necessary administrative action will be taken against the employee who violates the policy after the evaluation to be made by Human Resources.
You can send your requests and questions about the data to dpo@roseverplus.com