1. PURPOSE OF DISPOSAL POLICY
The purpose of preparing this Destruction Policy (Policy); If the personal data processed in accordance with the Personal Data Protection Law No. 6698 (Law) are eliminated, the personal data processing conditions set out in Articles 4, 5 and 6 of the Law are no longer valid. It shows the procedures for deleting, destroying or anonymizing personal data by omrgears.com ex officio or upon the request of the data owner, in accordance with the Regulation on Deletion, Destruction or Anonymization of Data (Regulation).
Explicit Consent
It refers to consent regarding a specific subject, based on information and expressed with free will.
Relevant User
Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller.
Destruction
Deleting, destroying personal data or making them anonymous.
Recording Media
Any environment containing personal data processed by fully or partially automated means or by non-automatic means provided that it is part of any data recording system.
Personal Data
Any information regarding an identified or identifiable natural person.
Personal Data Policy
refers to the Personal Data Protection and Privacy Policy prepared by omrgears.com.
Processing of Personal Data
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as classifying or preventing its use.
Anonymization of Personal Data
Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Deletion of Personal Data
Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users.
Destruction of Personal Data
The process of making personal data inaccessible, irretrievable and unusable by anyone.
Board
Personal Data Protection Board
Special Personal Data
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures refers to biometric and genetic data.
Periodic Destruction
The deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the Law are eliminated.
Data Owner/Relevant Person
The real person whose personal data is processed.
Data Controller
Real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Regulation
Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017
3. RECORDING MEDIUMS WHERE PERSONAL DATA IS STORED
Personal data of data owners are stored securely by omrgears.com in the environments listed below, in accordance with the relevant legislation, especially the provisions of the Law:
Electronic media:
• CRM
• MS SQL Server
• E-Posta Kutusu
• Microsoft Office Programs
• Video Recorders
Physical environments:
• Unit Cabinets
• Folders
• Archive
4. EXPLANATIONS REGARDING THE REASONS REQUIRING STORAGE AND DISPOSAL
Personal data of data owners are processed by omrgears.com in particular:
a. Sustaining education and commercial activities,
b. Fulfillment of legal obligations,
c. With the planning and execution of employee rights and benefits
D. In order to manage customer relations, it is stored securely in the physical or electronic environments listed above, within the limits specified in the Law and other relevant legislation.
Reasons that require storage are as follows:
a. Personal data being directly related to the establishment and execution of contracts,
b. Establishment, use or protection of a right in personal data,
c. omrgears.com has a legitimate interest, provided that personal data does not harm the fundamental rights and freedoms of individuals,
D. Personal data for omrgears.com to fulfill any legal obligations,
to. Storage of personal data is clearly stipulated in the legislation,
f. Existence of explicit consent of data owners in terms of storage activities that require explicit consent of data owners.
In accordance with the Regulation, personal data of data owners are deleted, destroyed or anonymized by omrgears.com ex officio or upon request in the following cases:
a. Amendment or abolition of the relevant legislative provisions that constitute the basis for the processing or storage of personal data,
b. Elimination of the purpose requiring the processing or storage of personal data,
c. Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
D. In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,
to. Acceptance by the data controller of the application made by the relevant person for the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs 2 (e) and (f) of Article 11 of the Law,
f. In cases where the data controller rejects the application made to him by the data subject requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the time period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
g. Although the maximum period requiring personal data to be stored has passed, there are no conditions that justify storing personal data for a longer period of time.
5. PRECAUTIONS TAKEN REGARDING THE PROTECTION OF PERSONAL DATA
omrgears.com, in accordance with Article 12 of the Law, takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data. carries out or has the necessary inspections carried out within this scope. All technical and administrative measures taken are also regulated in the Personal Data Policy. Even though all technical and administrative measures have been taken, if the processed personal data is obtained by third parties through illegal means, omrgears.com will notify the relevant units as soon as possible.
5.1. Technical Measures:
• Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
• Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
• Access authorizations are limited and authorizations are reviewed regularly.
• The technical measures taken are checked periodically, risky issues are re-evaluated and the necessary technological solutions are produced.
• Software and hardware including virus protection systems and firewalls are installed.
• Personnel knowledgeable in technical matters are employed.
• Regular security scans are carried out to detect security vulnerabilities in applications where personal data is collected. It is ensured that the gaps found are closed.
• Ensures control of system vulnerabilities by obtaining penetration testing service when needed.
• Destruction of personal data is ensured in a way that cannot be recycled and does not leave an audit trail.
5.2 Administrative Measures:
• Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
• Personal data access and authorization processes are designed and implemented within omrgears.com in accordance with legal compliance requirements for personal data processing on a business unit basis. When restricting access, whether the data is special or not and its level of importance are also taken into consideration.
• All kinds of documents that regulate the relationship between omrgears.com personnel and contain personal data must be complied with the obligations stipulated by the Law in order to process personal data in accordance with the law, personal data should not be disclosed, personal data should not be used unlawfully and confidentiality regarding personal data He added records stating that his liability continues even after the termination of his employment contract with omrgears.com.
• Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
• Contracts concluded by omrgears.com with persons to whom personal data is transferred in accordance with the law; Provisions are added stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
• If the processed personal data is obtained by others through illegal means, it notifies the relevant person and the Board as soon as possible.
• When necessary, it employs staff who are knowledgeable and experienced about the processing of personal data and provides training to its staff within the scope of personal data protection legislation and data security.
• omrgears.com carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law. It eliminates privacy and security vulnerabilities that arise as a result of audits.
6. PRECAUTIONS TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA
omrgears.com may delete or destroy personal data, based on its own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the relevant law. Following the deletion of personal data, the deleted data will not be accessed or used again by the relevant persons in any way. An effective data tracking process will be managed by omrgears.com to define and monitor the destruction processes of personal data. The process will include identifying the data to be deleted, identifying the relevant persons, determining the access methods of the persons, and immediately deleting the data.
omrgears.com may use one or more of the following methods, depending on the medium in which the data is recorded, to destroy, delete or anonymize personal data:
6.1. Methods for Deleting, Destroying and Anonymizing Personal Data
6.1.1. Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. omrgears.com may use one or more of the following methods as a method of deleting personal data:
• Personal data on paper will be processed by drawing, painting, cutting or erasing using the blackout method.
• User(s) access right(s) for office files located in the central file will be eliminated.
• Rows or columns containing personal information in the databases will be deleted with the 'Delete' command.
• It will be deleted securely with the help of an expert when necessary.
6.1.2. Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone.
• Physical Destruction
• Destruction with Paper Shredder
• De-magnetization: It is the method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it is exposed to high magnetic fields.
6.1.3. Anonymizing Personal Data
Anonymizing personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. omrgears.com may use one or more of the following methods to anonymize personal data:
• Masking: Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set.
• Removing Records: In the derecording method, the data line that contains a singularity is removed from the records and the stored data is made anonymous.
• Regional Hiding: In the regional hiding method, if a single data has a deterministic nature because it creates a very less visible combination, hiding the relevant data provides anonymization.
• Global Coding: With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. For example; stating ages instead of dates of birth; Specifying the region of residence instead of the full address.
• Adding Noise: The method of adding noise to the data makes the data anonymous by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data is predominant. For example, in a data group containing weight values, using a deviation of (+/-) 3 kg prevents the actual values from being displayed and the data is anonymized. The deviation applies equally to each value.
In accordance with Article 28 of the Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the personal data owner
Explicit consent will not be required.
omrgears.com will be able to make ex officio decisions regarding the deletion, destruction or anonymization of personal data and can freely determine the method to be used according to the category it has chosen. In addition, within the scope of Article 13 of the Regulation, if the relevant person chooses one of the categories of deletion, destruction or anonymization of his/her personal data during the application, ommgears.com will be free to choose the methods to be used in the relevant category.
7. PERSONAL DATA STORAGE AND DESTRUCTION PERIOD
omrgears.com stores personal data for the period necessary for the purpose for which they are processed. If the main purpose of collection of personal data or the basis for secondary processing specified in this Policy, if any, disappears, personal data may continue to be stored for the periods specified in ANNEX 1.
If a period of time is stipulated in the legislation for the storage of personal data in question, this period is observed. If there is no period stipulated in the legislation, personal data will be stored for the maximum period for keeping the personal data in the table in ANNEX 1. These periods are; By evaluating omrgears.com's data categories and data owner groups; The data obtained as a result of this evaluation will ensure that the obligations stated in the law are fulfilled and has been determined by taking into account the maximum limitation period (10 years) in the Turkish Code of Obligations.
In case the obligation to delete, destroy or anonymise arises due to the expiration of these periods, omrgears.com will delete, destroy or anonymise the personal data in the first periodic destruction process following this date.
8. COMPANY PERIODIC DESTRUCTION PERIOD
The periodic destruction period of omrgears.com is 1 year. Personal data whose storage period has expired is destroyed in accordance with the procedures set out in this Policy, in 1-year periods, within the framework of the destruction periods in ANNEX 1 of this Policy. In the systems in question, the information will be irretrievably deleted from devices such as documents, files, CDs, floppy disks and hard disks, if any, in which the data is recorded.
9. STAFF
As omrgears.com data controller within the scope of the Law, based on the 1st paragraph of Article 11 of the Regulation, you can find the titles, units and job descriptions of the personnel whose obligations will be fulfilled in terms of the implementation of the data storage and destruction process of the Law, from the list in ANNEX 2 of this Policy. .
These persons, whose boundaries are determined, are responsible for the transactions and actions that occur within their authority within the scope of the Turkish Commercial Code, the Code of Obligations and the Turkish Penal Code. He was elected as the Chairman of omrgears.com Personal Data Protection Board, with the authority to represent omrgears.com and to testify, especially in the Law Enforcement, Prosecutor's Offices, public institutions and courts. Each department manager will be responsible for checking whether the relevant users in the departments comply with this Policy and the Personal Data Policy prepared within the framework of the Law and Regulation. All department heads will report the actions taken in line with this Policy to the Chairman of the Personal Data Protection Board of omrgears.com within the specified periodic destruction periods. The decision resulting from the study results for these reports will be put into practice.
10.APPLICATION OF THE CONCERNED PERSON
The relevant person may request the deletion or destruction of his or her personal data by applying to omrgears.com with an application petition that can be obtained upon request from omrgears.com in accordance with the Personal Data Policy, pursuant to Article 13 of the Law and Article 12 of the Regulation. .
1. If all the conditions for processing personal data have been eliminated; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller concludes the request of the relevant person within thirty days at the latest and informs the relevant person.
2. If all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, the data controller notifies this situation to the third party; It ensures that the necessary transactions are carried out within the scope of the Regulation before the third party.
3. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the data controller by explaining the reason and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest. omrgears.com may refuse to delete the personal data of the data controller for the following reasons;
a. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
b. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
D. Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.
to. Processing of personal data is necessary for the prevention of crime or criminal investigation.
f. Processing of personal data made public by the personal data owner.
g. Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law. h. Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
I. The request of the personal data owner is likely to hinder the rights and freedoms of other persons.
j. Requests have been made that require disproportionate effort.
k. The requested information must be publicly available information.
10.1 Personal Data Owner's Exercise of His Rights
Data owners will be able to submit their requests regarding their rights under title 9 of this chapter to omrgears.com by filling out and signing the application petition that can be obtained from omrgears.com, with information and documents that will identify them and by the methods specified below or other methods determined by the Board:
In order for third parties to request an application on behalf of personal data owners, the data owner must have a special power of attorney issued through a notary on behalf of the person to apply.
10.2 Personal Data Owner's Right to Complain to the KVK Board
Pursuant to Article 14 of the Law, in cases where the application is rejected, the response is found to be insufficient, or the application is not responded to in due time; He/she may file a complaint with the Board within thirty days from the date of learning omrgears.com's response and, in any case, within sixty days from the date of application.
11. INFORMATION THAT THE COMPANY MAY REQUEST FROM THE APPLICANT PERSONAL DATA OWNER
omrgears.com may request information from the relevant person in order to determine whether the applicant is the owner of personal data. omrgears.com, in order to clarify the issues included in the application of the personal data owner,
may ask questions to the personal data owner regarding his/her application.
12. REVISION AND REPEAL
If the Policy is changed or repealed, the amended version of the Policy or the new policy example will be announced on the omrgears.com website.
13. ENFORCEMENT
This Policy enters into force on 15/10/2019.