BÜYÜKKAYNAKLAR METAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ
PERSONAL DATA RETENTION AND DISPOSAL POLICY

• PURPOSE

This policy; It has been prepared in order to determine the procedures and principles regarding the work and transactions regarding the personal data storage and destruction activities carried out by Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi.
From the effective date of the Law on the Protection of Personal Data No. 6698 (“KVKK” or “Law”), the protection of personal data belonging to all real persons we come into contact with in any way while performing our commercial activities, and in this context, the KVKK; We attach great importance to the complete fulfillment of the requirements in This Personal Data Storage and Disposal Policy (“Policy”) has been prepared to inform you about the collection, use, sharing, protection, storage and deletion, destruction, anonymization processes and principles of personal data by Büyükkaynaklar Metal Industry and Trade Limited Company.< br> In this Policy, the principles regarding the processing of personal data of data owners by Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi; T.R. KVKK's priority is to ensure that it is processed in accordance with the Constitution, international conventions, the Law on the Protection of Personal Data No. 6698 (the “Law”) and other relevant legislation, and that the relevant persons use their rights effectively; It is given in accordance with the order of arrangement in.
As a Data Controller who is obliged to register in the Registry in accordance with the Regulation, he is obliged to prepare a Policy in order to store the personal data in his possession in accordance with the personal data inventory and to delete, destroy or anonymize when necessary, and to act in accordance with this Policy.

• SCOPE

This Policy; Personal data of which are processed by Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi, automatically or non-automatically, provided that it is a part of any data recording system, primarily Company Officials, Company Employees, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties. It has been prepared for real persons and will be implemented within the scope of these specified persons.

• DEFINITIONS

Recipient  Group : The category of natural or legal person to whom personal data is transferred by the data controller.

Explicit Consent :

It is the consent that is based on information and expressed with free will on a specific subject.

Anonymization :

It is to render personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee :

The personnel of Büyükkaynaklar Metal Industry and Trade Limited Company.

EBYS :

Electronic Document Management System

Electronic Media :

Environments where personal data can be created, read, changed and written by electronic devices.

Non-Electronic Media :

All written, printed, visual etc. other than electronic media. are other environments.

Service Provider :

A natural or legal person providing services within the framework of a certain contract with Büyükkaynaklar Metal Industry and Trade Limited Company.

Contact Person:

The natural or legal person whose personal data is processed.

Related User :

Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authority and instruction received from the data controller.

Destruction:

Personal      deletion, destruction, or anonymization of data.

Law :

It is the Law on Protection of Personal Data No. 6698.

Recording Environment :

It is any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

Personal Data :

Any information relating to an identified or identifiable natural person.

Personal Data

Processing Inventory :

Personal data processing activities carried out by data controllers depending on their business processes; It is the inventory that they create by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.

Processing of Personal Data :


Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system Any operation performed on the data, such as preventing its use or use.

Board :

Personal Data Protection Board'.

Special Quality Personal Data :


Data on people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Disposal :

In the event that all of the processing conditions of personal data in the law are eliminated; It is the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.

Policy:

Personal Data Retention and Destruction Policy.

Company    :

Büyükkaynaklar Metal Industry and Trade Limited Company

Register :

It is the Registry of Data Controllers kept by the Presidency.

Data Processor :

A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data-Record System                  :

It is a recording system in which personal data is structured and processed according to certain criteria.

Data Controller:

It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System :


An information system, accessible over the internet, created and managed by the Presidency, to be used by data controllers in their application to the Registry and other related procedures.

VERBIS:

Data Controllers Registry Information System

Regulation :

Regulation on the Deletion, Disposal or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

• PRINCIPLES

• The general principles in Article 4 of the Law will be followed.

• Büyükkaynaklar Metal Industry and Trade Limited Company accepts that having prepared this Policy alone does not mean that personal data is deleted, destroyed or anonymized in accordance with the Regulation, Law and relevant legislation.

• Büyükkaynaklar Metal Industry and Trade Limited Company acts in accordance with the security measures in Article 12 of the Law, the provisions of the relevant legislation, the decisions to be taken by the Personal Data Protection Board and the Policy when storing or deleting, destroying or anonymizing personal data.

• Büyükkaynaklar Metal Industry and Trade Limited Company, during the deletion, destruction or anonymization of personal data that is processed by automatic means, provided that the purpose of the personal data is fully or partially automatic or is part of any recording system, is subject to this Policy and the Policy;

• Unless the Board decides otherwise, ex officio deletion, destruction or anonymization of personal data
  • RECORDING MEDIA
  
  

   

  • Electronic Media                                          

  Servers (Domain, backup, email, database, web, file sharing, etc.
  Software (office software, portal, EBYS, VERBIS.)
  Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
  Personal computers (Desktop, laptop)
  Mobile devices (phone, tablet, etc.)
  Optical discs (CD, DVD, etc.)
  Removable memories (USB, Memory Card etc.)
  Printer, scanner, copier

  
  
  • Non-Electronic Media
  
  

   

  Paper,
  Manual data recording systems (survey forms, visitor logbook)
  Written, printed, visual media

  
  
  • LEGAL REASONS FOR KEEPING
  
  

  Buyukkaynaklar Metal Industry and Trade Limited Company keeps the personal data it processes for the period stipulated in the relevant legislation and within the scope of the relevant legislation. The reasons for keeping it in this context are as follows:

  • Storing personal data as it is directly related to the establishment and performance of contracts,
  • Storing personal data for the purpose of establishing, exercising or protecting a right,
  • It is obligatory to keep personal data for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of individuals,
  • Storage of personal data for the purpose of fulfilling any legal obligations of the company
  • The legislation clearly stipulates the storage of personal data,
  • Explicit consent of data owners for storage activities that require explicit consent of data owners.

  Buyukkaynaklar Metal Industry and Trade Limited Company pays special attention to the storage of special quality personal data, which is believed to be of more critical importance for data owners in various aspects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners.

  
  
  • PROCESSING OBJECTIVES THAT REQUIRE STORAGE
  
  

  Büyükkaynaklar Metal Industry and Trade Limited Company stores the personal data it processes within the framework of its activities for the following purposes.

  • Executing human resources processes,
  • To ensure the planning and execution of corporate communication activities,
  • To ensure company security,
  • To be able to do statistical studies,
  • To be able to perform work and transactions as a result of signed contracts and protocols,
  • Ensuring the fulfillment of legal obligations as required or mandated by legal regulations,
  • To contact real / legal persons who have a business relationship with the company,
  • Making legal reports,
  • Creation of personnel files, payroll,
  • Employee contract process management,
  • Execution of insurance renewal processes,
  • Providing health services to employees,
  • Keeping blood group lists,
  • Allocation of vehicles, telephones and lines to the employees within the scope of the performance of the employment contract,
  • Executing the processes of procuring power of attorney and circular of signature,
  • Conformity assessments within the scope of subcontracting,
  • Making emergency preparations and conducting operations,
  • Execution of occupational health and safety processes,
  • Accident and legislation management within the scope of occupational health and safety,
  • Establishment of service procurement contracts processes,
  • Planning, auditing and execution of information security processes
  • Opening and authorizing e-mail accounts for employees,
  • Keeping Internet log records,
  • Planning personnel travels and conducting the advance processes,
  • Execution and follow-up of paperwork,
  • Card and service records for personnel entries,
  • Continuity of budgeting processes,
  • Providing and managing staff training,
  • Planning and execution of in-company training and orientation programs,
  • Internal operations ,
  • Activities with legal, technical and administrative consequences,
  • Strategy, planning and business partners/supplier management,
  • Planning and execution of in-company training programs,
  • The burden of proof as evidence in legal disputes that may arise in the future.
  
  
  • LEGAL REASONS FOR DISPOSAL
  
  

               In accordance with the Regulation, personal data belonging to data owners in the cases listed below; It is deleted, destroyed or anonymized by Büyükkaynaklar Metal Industry and Trade Limited Company ex officio or upon request:

  • In cases where it is necessary due to the amendment or repeal of the provisions of the relevant legislation, which are the basis for the processing or storage of personal data,
  • The disappearance of the purpose that requires the processing or storage of personal data,
  • The elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
  • In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,
  • The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs 2 (e) and (f) of Article 11 of the Law,
  • In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his/her personal data, if his/her answer is found insufficient or if he/she does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
  • Despite the fact that the maximum period for keeping personal data has passed, there are no conditions to justify keeping personal data for a longer period of time.
  
  
  • STORAGE AND DISPOSAL TIMES
  
  

  The following criteria are used to determine the retention and destruction periods of your personal data obtained by Büyükkaynaklar Metal Industry and Trade Limited Company in accordance with the provisions of the KVKK and other relevant legislation:
  a. If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with. Following the expiry of the aforementioned period, action is taken on the data within the scope of clause b.
  b. In the event that the period stipulated in the legislation regarding the storage of the said personal data expires or if no period is stipulated in the relevant legislation regarding the storage of the said data, respectively;
  a. Personal data is classified as personal data and sensitive personal data based on the definition in Article 6 of the KVKK. All personal data determined to be of a private nature will be destroyed. The method to be applied in the destruction of the said data is determined according to the nature of the data and the degree of importance of its storage to Büyükkaynaklar Metal Industry and Trade Limited Company.
  b. Compliance of data storage with the principles specified in Article 4 of the KVKK, for example; It is questioned whether Büyükkaynaklar Metal Industry and Trade Limited Company has a legitimate purpose in storing the data. Data that are detected to be kept in violation of the principles set forth in Article 4 of the KVKK are deleted, destroyed or anonymized.
  c. It is determined which of the exceptions stipulated in Articles 5 and 6 of the KVKK that data storage can be evaluated within the scope of. Within the framework of the detected exceptions, reasonable periods for data storage are determined. In the event of the expiration of such periods, the data is deleted, destroyed or anonymized.
  Büyükkaynaklar Metal Industry and Trade Limited Company is subject to the retention, destruction and periodic destruction periods determined by this Policy. in ‘‘Personal Data Processing Inventory’ Personal data, whose storage period has expired, is destroyed within the framework of the destruction periods in the annex of this Policy, in accordance with the procedures set forth in this Policy, in 6-month periods.

  
  
  • TECHNICAL AND ADMINISTRATIVE MEASURES
  
  

                Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi, in accordance with Article 12 of the Law, to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data, and to maintain the appropriate level of security in order to ensure the preservation of data. takes the necessary precautions and makes the necessary inspections in this context.

  
  
  1. Technical Measures

   

  Buyukkaynaklar Metal Industry and Trade Limited Company, within the scope of technical measures;

  • Network security and application security are provided.
  • A closed system network is used for personal data transfers via the network.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • The authority matrix has been created for the employees.
  • The authorizations of employees who have a change in duty or quit their job in this field are removed.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Attack detection and prevention systems are used.
  • Cyber ​​security measures have been taken and their implementation is constantly monitored.
  
  
  2. Administrative Measures
  
  

  Buyukkaynaklar Metal Industry and Trade Limited Company, within the scope of administrative measures;

  • Restricts internal access to the stored personal data to the personnel required to access it as per the job description. Whether the data is of a special nature or not and the degree of importance are also taken into account in limiting the access.
  •  In case the processed personal data is obtained by others unlawfully, it shall notify the person concerned and the Board as soon as possible.
  • Concerning the sharing of personal data, it signs a framework agreement on the protection of personal data and data security with the persons to whom personal data is shared, or provides data security with the provisions added to the existing agreement.
  • It carries out the necessary inspections in order to ensure the implementation of the provisions of the Law before its own legal entity and has it done. Eliminates privacy and security vulnerabilities resulting from audits.
  • Before processing personal data, the company fulfills its obligation to inform the relevant persons.
  • Personal data processing inventory has been prepared.

   

  • PERSONAL DATA DISPOSAL TECHNIQUES

   

    Your personal data processed for the purposes specified in this Personal Data Protection Policy; It will be deleted, destroyed and anonymized by us when the purpose that requires processing according to Article 7/1 of the Law No. 6698 disappears and the periods determined by the laws expire.

  
  
  • Deletion of Personal Data
  
  

    Deletion of personal data processed in whole or in part by automatic means; It is the process of making the said personal data inaccessible and reusable by the relevant users in no way. The data controller explains how the conditions specified in the third paragraph are provided for the personal data to be deemed deleted in the relevant policies and procedures.

  
  
  • Personal Data Deletion Methods
  
  

   

  1. Personal Data on Servers
  
  

    The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired. While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used in a way that will make it inaccessible and unusable for the relevant Users.

  Deletion of relevant data in the cloud system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deletion of related rows in databases with database commands; The deletion of data in flash media or portable media, using appropriate software, can be considered within this scope.

  However, if the deletion of personal data will result in the inaccessibility of other data within the system and the inability to use this data, the personal data will also be deemed deleted if the personal data is archived in a way that cannot be associated with the data subject, provided that the following conditions are met.

  − It is closed to the access of any other institution, organization or person,
  − Taking all necessary technical and administrative measures to ensure that only authorized persons can access personal data.

  
  
  2. Personal Data in Electronic Media

   

  Personal data in the electronic environment, whose period has expired, are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.

  
  
  3. Personal Data in Physical Environment

   

  Personal data kept in the physical environment shall be rendered inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, blackening is applied by drawing/painting/erasing in a way that cannot be read.

  
  
  4. Personal Data in Portable Media

   

  Personal data kept in flash-based storage media, whose expiration date has expired, are encrypted by the system administrator and only the system administrator is authorized to access them, and are stored in secure environments with encryption keys.

  
  
  5. Expert Secure Deletion

   

  In some cases, it may hire an expert to delete personal data on its behalf. In this case, the personal data is securely deleted by the person who is an expert in this field so that it cannot be accessed and reused in any way for the Relevant Users.

  
  
  • Destruction of Personal Data

   

  Destruction of personal data pursuant to Article 9 of the Regulation; It is the process of making personal data inaccessible, irretrievable and reusable by anyone in any way. Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi, as the data controller, declares in this Policy that it has taken all necessary technical and administrative measures regarding the destruction of personal data.

   

  
  
  • Personal Data Destruction Methods
  
  
  1. De-magnetizing

   

  It is a method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields. It should be noted that if destruction with this method is not successful, only the physical destruction of the media will be able to complete the destruction.

  
  
  2. Physical Destruction

   

  Personal data can also be processed in non-automatic ways, provided that it is a part of any data recording system. While such data is destroyed, a system of physical destruction of personal data is applied so that it cannot be used later. The destruction of data in paper and microfiche media should also be carried out in this way, as they cannot be destroyed in any other way.

  
  
  3. Overwrite

   

  The overwrite method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0 and 1's at least seven times over magnetic media and rewritable optical media via special software.

  
  
  4. Securely Delete from Software

   

  Personal data kept in the cloud is irrecoverably deleted by digital command, and when the cloud computing service relationship ends, all copies of encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

  
  
  • Anonymization of Personal Data

   

  Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.

  
  
  • PERSONAL DATA STORAGE AND DISPOSAL TIMES

   

  The storage and destruction periods of your personal data obtained by Büyükkaynaklar Metal Industry and Trade Limited Company in accordance with the provisions of KVKK and other relevant legislation are given in the table below.

  
  

  PROCESS	STORAGE PERIOD	DISPOSAL TIME
  Planning and Execution of Corporate Communication Activities	10 years after termination of employment	Within 30 days following the destruction application of the data owner
  General Assembly Procedures	10 years	After the end of the retention period
  Answering court/executive information requests regarding personnel, Criminal convictions and security measures	10 years after termination of employment	After the end of the retention period
  Preparation of contracts	10 years	After the end of the retention period
  Recruitment Following termination of employment	10 years	After the end of the retention period
  Occupational Health and Safety Practices	10 years after termination of employment	After the end of the retention period
  Information about company partners and board members	10 years	After the end of the retention period
  Camera Records	25 days	After the end of the retention period
  Data kept within the scope of Social Security Institution legislation	10 years after termination of employment	After the end of the retention period

   

  • PERIODIC DISPOSAL TIME
  
  

  Physical and digital data that have completed the legal storage and destruction periods are periodically destroyed. Büyükkaynaklar Metal Sanayi ve Ticaret Limited Şirketi deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out at 6-month intervals for all personal data.

  
  
  • UPDATE, ADAPTATION AND CHANGES
  
  

  Buyukkaynaklar Metal Industry and Trade Limited Company reserves the right to make changes in this Policy and other policies related to this Policy, in line with the changes made in the Law, pursuant to the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics.< br> Changes made in this Policy will be immediately transcribed into the text and explanations for the changes will be explained at the end of the Policy.

  
  
  • IMPLEMENTATION AND REVOCATION OF THE POLICY
  
  

  The policy is deemed to have entered into force after its publication on the website of Büyükkaynaklar Metal Industry and Trade Limited Company (www.buyukkaynaklar.com). . If it is decided to cancel it, the old copies of the policy with wet signatures are canceled and signed (with the cancellation stamp or written cancellation) and kept by the company for at least 5 years.