EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI Policy on the Retention and Destruction of Personal Data
EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI Policy on the Retention and Destruction of Personal Data
EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI Policy on the Retention and Destruction of Personal Data
PART 1: NATURE AND PURPOSE OF THE DATA DESTRUCTION POLICY
1.1. INTRODUCTION
This Policy on the Destruction of Personal Data is prepared for the purpose of determining the procedures and principles to be followed by EVOLOG regarding the deletion, destruction or anonymisation of personal data, which, as EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI (hereinafter referred to as ‘EVOLOG’), we hold in the capacity of Data Controller, in accordance with Law No 6698 on the Protection of Personal Data and other legislation.
In this context, the personal data of our employees, employee candidates, customers and all natural persons who for any reason whatsoever submit their personal data to EVOLOG are managed in accordance with the laws within the framework of the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
1.2. DEFINITIONS
Direct Identifiers
It refers to identifiers that, on their own, directly reveal, disclose and make distinguishable the person with whom they are associated.
Indirect Identifiers
It refers to identifiers that, in combination with other identifiers, reveal, disclose and make distinguishable the person with whom they are associated.
Data Subject
It refers to the natural person whose personal data is processed.
Destruction
It refers to the deletion, destruction or anonymisation of personal data.
Law
It refers to Law No 6698 (published in the Official Gazette dated 07.04.2016 and numbered 29677) on the Protection of Personal Data.
Regulation
It refers to the Regulation (published in the Official Gazette dated 28.10.2017 and numbered 30224) on the Deletion, Destruction or Anonymisation of Personal Data.
Committee
It refers to the Personal Data Protection Committee.
Recording Medium
It refers to any kind of medium containing personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.
Policy on Processing and Protection of Personal Data
It refers to the policy defining the procedures and principles regarding the management of personal data held by EVOLOG, which can be accessed at www.evolog.com.tr
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
.
PART 2: MEDIUM AND SAFETY PRECAUTIONS
2.1. MEDIUM WHERE PERSONAL DATA ARE RETAINED
Personal data retained at EVOLOG are kept in a recording medium in accordance with the nature of the relevant data and our legal obligations.
The recording mediums that are generally used for the retention of personal data are listed below. However, some data may be kept in a different medium than the medium shown here due to their special characteristics or our legal obligations. In all cases, EVOLOG acts in the capacity of a Data Controller and processes and protects personal data in accordance with the Law, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
a) Printed Medium: Medium in which data is retained by printing on paper or microfilms
b) Local Digital Medium: Servers, hard or portable discs, optical discs and other digital medium available within EVOLOG
c) Cloud Environments: These are the medium that are not available within EVOLOG, but are used by EVOLOG and where internet-based systems encrypted with cryptographic methods are employed.
2.2. ENSURING THE SECURITY OF THE MEDIUM
In order to retain personal data securely and to prevent unlawful processing and access, EVOLOG takes all necessary technical and administrative measures in accordance with the nature of the relevant personal data and the medium in which it is retained.
These measures include but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data concerned and the medium in which it is kept.
2.2.1. Technical Measures
In all mediums where personal data is retained, EVOLOG takes the following technical measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
In the environments where personal data are kept, only up-to-date and secure systems that are in line with technological developments are used.
Security systems are used for the mediums where personal data are retained.
Security tests and investigations are carried out to identify security vulnerabilities in IT systems, and existing or potential risk issues identified at the end of the tests and investigations are eliminated.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained and all accesses are logged.
EVOLOG employs a sufficient number of technical personnel to ensure the security of the environments where personal data are retained.
2.2.2. Administrative Measures
In all mediums where personal data is retained, EVOLOG takes the following administrative measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
Efforts are being made to raise awareness of all EVOLOG employees who have access to personal data on information security, privacy of personal data and privacy of private life.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that personal data is passed on to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with the obligations in these protocols.
2.2.3. In-house Audits
As per Article No 12 of the Law, EVOLOG conducts in-house audits regarding the implementation of the provisions of the Law and the provisions of this Policy on the Retention and Destruction of Personal Data and the Policy on the Processing and Protection of Personal Data.
In the event that deficiencies or defects regarding the implementation of these provisions are detected during in-house audits, these deficiencies or defects shall be remedied immediately.
In case, during the audit or in any other way, it is understood that the personal data under the responsibility of EVOLOG is obtained by others illegally, EVOLOG shall notify the data subject and the Committee as soon as possible.
PART 3: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR RETENTION AND DESTRUCTION
3.1.1. Reasons for Retention of Personal Data
Personal data kept under the roof of EVOLOG are retained for the purposes and reasons specified herein in accordance with the Law and our Policy on Personal Data (you can access the relevant policy at the following address: www.evolog.com.tr).
3.1.2. Reasons for Destruction of Personal Data
Personal data retained by EVOLOG shall be deleted, destructed or anonymised ex officio in accordance with this Policy on Destruction of Personal Data upon the request of the data subject or in the event of the disappearance of the reasons listed in Article No 5 and Article No 6 of the Law.
The reasons listed in Article No 5 and Article No 6 of the Law are as follows:
a) If it is explicitly stipulated in the laws
b) If it is mandatory for the purpose of protecting the life and bodily integrity of a person or another person, whose consent does not have legal validity or who is not capable of expressing his/her consent due to actual impracticalities
c) If it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract
d) If it is mandatory for the data controller to fulfil its legal obligations
e) If it has been publicised by the data subject himself/herself
f) If data processing is mandatory for the establishment, exercise or protection of a right
g) If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedom of the data subject
3.2. METHODS OF DESTRUCTION OF PERSONAL DATA
EVOLOG shall ex officio delete, destruct or anonymise the personal data that it retains in accordance with the Law and other legislation and the Policy on Processing and Protection of Personal Data, in the event that the reasons requiring the processing of the data disappear, upon the request of the data subject or within the periods specified in this Policy on the Retention and Destruction of Personal Data.
The most common deletion, destruction and anonymisation techniques used by EVOLOG are listed below:
3.2.1.1 Methods of Deletion of Personal Data
Methods of Deletion for Personal Data Retained in Printed Medium
Blackout
Personal Data retained in printed medium is deleted by using the blackout method. The blackout procedure is performed by cutting out the personal data on the relevant document, where possible, and, where not possible, by making it invisible by using fixed ink in such a way that the data cannot be reversed and cannot be read by means of technological solutions.
Methods of Deletion for Personal Data Retained in Cloud Environments and Local Digital Mediums
Secure Deletion from the Software
Personal data retained in the cloud environments or local digital mediums are deleted by digital commands in such a way that they cannot be recovered again. Data deleted in this way cannot be accessed again.
3.2.1.2 Methods of Destruction for Personal Data
Methods of Destruction for Personal Data Retained in Printed Mediums
Physical Destruction
Documents kept in printed form are destroyed by document destruction machines in such a way that they cannot be brought together again.
Methods of Destruction for Personal Data Retained in Local Digital Mediums
Physical Destruction
It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverising. The data is rendered inaccessible by processes such as melting, burning, pulverising or passing the optical or magnetic media through a metal grinder.
De-magnetisation (Degauss)
It is the process of distorting the data on the magnetic medium in an unreadable way by exposing it to a high magnetic field.
Overwriting
Random data consisting of 0s and 1s are written at least seven times on the magnetic medium and rewritable optical media, preventing the old data from being read and recovered.
Methods of Destruction for Personal Data Retained in Cloud Environments
Secure Deletion from the Software
Personal Data retained in the cloud is deleted by digital command, never to be recovered again. And, when the cloud computing service relationship is terminated, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.
3.2.1.3. Methods of Anonymization for Personal Data
Anonymization refers to making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, including being associated with other data.
Removal of Variables
It is the removal of one or more of the direct identifiers that are included in the personal data of the data subject and that can be used to identify the data subject in any way.
This method can be used to anonymise personal data, as well as to delete personal data if there is information in the personal data that is not suitable for the purpose of data processing.
Regional Concealment
It is the process of deleting the information that may be distinctive for the data in the data table where personal data are collectively anonymised.
Generalization
It is the process of bringing together personal data belonging to many people and turning them into statistical data by removing the distinctive information.
Lower and Upper Limit Coding/Global Coding
For a certain variable, intervals for that variable are defined and categorised. If the variable does not contain a numeric value, then data close to each other in the variable are categorised.
Values within the same category are aggregated.
Micro-Aggregation
With this method, all records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset for the determined variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, the indirect identifiers in the data will be corrupted, thus making it difficult to associate the data with the data subject.
Data Hashing and Perturbation
Direct or indirect identifiers within the personal data are mixed (hashing) or distorted (perturbation) with other values and their relationship with the data subject is severed and they lose their identifying characteristics.
EVOLOG uses one or more of these anonymisation methods to anonymise personal data, depending on the nature of the relevant data. While using these anonymisation methods, EVOLOG may use K-Anonymity, L-Diversity and T-Closeness statistical methods.
3.3. DATA RETENTION AND DATA DESTRUCTION DEADLINES
3.3.1. Data Retention Period
DATA SUBJECT
DATA CATEGORY
DATA RETENTION PERIOD
Employee
Personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 50 (fifty) years after the expiry of the service contract.
Employee
Personnel information other than the personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 10 (ten) years starting from the beginning of the calendar year following the expiry of the service contract.
Employee
Data Contained in the Occupational Personal Health File
Such information shall be retained for the duration of the service contract and for a period of 30 (thirty) years after the expiry of the service contract.
Business Partner/Solution Partner/Consultant
Identity information obtained during the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and EVOLOG, contact details, financial information, voice recordings taken during telephone calls, and data regarding the employees of the Business Partner/Solution Partner/Consultant
Such information shall be retained for 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between the Business Partner/Solution Partner/Consultant and EVOLOG.
Visitors
Name, Surname, Turkish ID Number, Vehicle Licence Plate and camera recordings of the visitors taken at the entry to the physical site belonging to EVOLOG, voice recordings taken during phone calls
Such information shall be retained for 2 years.
Website Visitors
Name, Surname, E-mail Address, browsing behaviour information of the Website Visitors
Such information shall be retained for 2 years.
Employee Candidate
The information contained in the CV and job application form of the Employee Candidate
Such information shall be retained for a maximum of 2 years, up to the date at which the CV shall be out of date.
Intern (Student)
Information contained in the internship file of the intern
Such information shall be retained for a period of 10 (ten) years from the beginning of the calendar year following the continuation and completion of the internship relationship.
Customer
Name, Surname, Turkish ID Number, Contact Details of the Customer, payment information and methods, browsing movements information, audio recordings taken during telephone calls, product/service preferences, transaction history, special day information
Such information shall be retained for a period of 10 years as per Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code from the date of delivery of each product/service purchased by the Customer.
Customer
CCTV Footage, Vehicle Licence Plate Information
Such information shall be retained for 2 years.
Potential Customer
Identity information, contact details, financial information obtained during contract negotiations between the Potential Customer and EVOLOG for the establishment of a commercial relationship, audio recordings taken during telephone calls
Such information shall be retained for 2 years.
Institutions/Companies in Cooperation with EVOLOG (Supplier, Contract Manufacturer, Dealer/Franchise)
Identity information obtained during the execution of the commercial relationship between EVOLOG and the Institutions/Companies that EVOLOG is in cooperation with, contact details, financial information, audio recordings taken during telephone calls, employee data of the Institution/Company that EVOLOG is in cooperation with
Such information shall be retained for a period of 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between EVOLOG and the Institutions/ Companies with which EVOLOG is in cooperation.
* In the event that a longer time period is regulated pursuant to the legislation or a longer period is stipulated for statute of limitations, forfeiture period, retention periods and the like pursuant to the legislation, the periods specified in the provisions of the legislation shall be accepted as the maximum retention period.
3.3.2. Data Destruction Deadlines
In the first periodic destruction process following the date on which the obligation to delete, destruct or anonymise the personal data for which EVOLOG is responsible in accordance with the Law, the relevant legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data arises, EVOLOG deletes, destructs or anonymises the personal data.
When the data subject requests the deletion or destruction of his/her personal data by applying to EVOLOG pursuant to Article No 13 of the Law:
a) If all the conditions for processing personal data are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data subject to the request within 30 (thirty) days following the day of receipt of the request, explaining the reason for such deletion, destruction or anonymisation. In order for EVOLOG to be deemed to have received the request, the data subject must have made the request in full compliance with the Policy on Processing and Protection of Personal Data. In any case, the EVOLOG shall inform the data subject about the procedure.
b) If all the conditions for processing personal data have not disappeared, this request may be rejected by EVOLOG by explaining the reason in accordance with Paragraph No 3 of Article No 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
3.4. PERIODIC DESTRUCTION
If all the conditions for processing personal data specified in the Law are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data whose processing conditions are no longer applicable by means of an ex officio process to be carried out at recurring intervals as specified in this Policy on the Retention and Destruction of Personal Data.
Periodic destruction procedures for the first time shall start on 30.06.2019 and shall be repeated every 6 (six) months.
3.5. SUPERVISION OF THE LAWFULNESS OF THE DESTRUCTION PROCEDURES
EVOLOG carries out ex officio destruction procedures in accordance with the Law, other legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data, both upon request and in periodic destruction periods.
EVOLOG takes a number of administrative and technical measures in order to ensure that destruction is carried out in full compliance with these regulations.
3.5.1. Technical Measures
EVOLOG maintains technical tools and equipment suitable for each method of destruction set out in this policy.
EVOLOG ensures the security of the place where the destruction procedures are carried out.
EVOLOG keeps records of the access of the persons who realize the destruction procedures.
EVOLOG employs competent and experienced staff to deal with the destruction procedures or procures services from competent third parties when necessary.
3.5.2. Administrative Measures
EVOLOG makes efforts to raise awareness of its employees who will carry out the destruction process on information security, privacy of personal data and privacy of private life.
EVOLOG procures legal and technical consultancy services in order to follow the developments in the field of information security, privacy of private life, protection of personal data and secure destruction techniques and to take necessary actions.
In cases where EVOLOG outsources the destruction process to third parties due to technical or legal requirements, EVOLOG signs protocols with the relevant third parties for the protection of personal data and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
EVOLOG regularly audits whether the destruction procedures are carried out in line with the law and the conditions and obligations specified in this Policy on the Retention and Destruction of Personal Data, and takes the necessary actions.
EVOLOG keeps records of all transactions regarding the deletion, destruction and anonymisation of personal data and stores such records for at least three years, excluding other legal obligations.
PART 4: PERSONAL DATA COMMITTEE
EVOLOG shall establish a Personal Data Committee within itself. The Personal Data Committee is authorised and tasked to carry out the necessary actions and supervise the processes for the retention and processing of the data belonging to the data subjects in accordance with the law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data.
The Personal Data Committee consists of three persons: a manager, an administrative expert and a technical expert. The titles and job descriptions of EVOLOG employees working in the Personal Data Committee are listed below:
Title
Duty Description
Personal Data Committee Manager
The Personal Data Committee Manager is responsible for directing all kinds of planning, analysis, research, and risk determination studies in the projects carried out in the process of compliance with the Law, managing the processes to be carried out in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data, and deciding on the requests submitted by the data subjects.
PPD (Protection of Personal Data) Specialist (Technical and Administrative)
PPD Specialist is responsible for reporting the requests of the data subjects to the Personal Data Committee Manager so that the requests of the data subjects are examined and considered, for carrying out the transactions regarding the requests of the data subjects considered and decided by the Personal Data Committee Manager in line with the decision of the Personal Data Committee Manager, for auditing the retention and destruction procedures, and for reporting these audits to the Personal Data Committee Manager, and for the fulfilment of the retention and destruction procedures.
PART 5: UPDATE AND COMPLIANCE
EVOLOG reserves the right to make amendments to the Policy on Processing and Protection of Personal Data or this Policy on the Retention and Destruction of Personal Data due to amendments to the Law, in accordance with the decisions of the Company or in line with developments in the sector or in the field of informatics.
Amendments made to this Policy on the Retention and Destruction of Personal Data are immediately incorporated into the text and explanations regarding the amendments are explained at the end of the Policy.
5.1 NOTES ON AMENDMENTS
01.03.2019: The Policy on the Retention and Destruction of Personal Data is published.
*There are no older dated amendments.
PART 1: NATURE AND PURPOSE OF THE DATA DESTRUCTION POLICY
1.1. INTRODUCTION
This Policy on the Destruction of Personal Data is prepared for the purpose of determining the procedures and principles to be followed by EVOLOG regarding the deletion, destruction or anonymisation of personal data, which, as EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI (hereinafter referred to as ‘EVOLOG’), we hold in the capacity of Data Controller, in accordance with Law No 6698 on the Protection of Personal Data and other legislation.
In this context, the personal data of our employees, employee candidates, customers and all natural persons who for any reason whatsoever submit their personal data to EVOLOG are managed in accordance with the laws within the framework of the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
1.2. DEFINITIONS
Direct Identifiers
It refers to identifiers that, on their own, directly reveal, disclose and make distinguishable the person with whom they are associated.
Indirect Identifiers
It refers to identifiers that, in combination with other identifiers, reveal, disclose and make distinguishable the person with whom they are associated.
Data Subject
It refers to the natural person whose personal data is processed.
Destruction
It refers to the deletion, destruction or anonymisation of personal data.
Law
It refers to Law No 6698 (published in the Official Gazette dated 07.04.2016 and numbered 29677) on the Protection of Personal Data.
Regulation
It refers to the Regulation (published in the Official Gazette dated 28.10.2017 and numbered 30224) on the Deletion, Destruction or Anonymisation of Personal Data.
Committee
It refers to the Personal Data Protection Committee.
Recording Medium
It refers to any kind of medium containing personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.
Policy on Processing and Protection of Personal Data
It refers to the policy defining the procedures and principles regarding the management of personal data held by EVOLOG, which can be accessed at www.evolog.com.tr
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
.
ABC
PART 2: MEDIUM AND SAFETY PRECAUTIONS
2.1. MEDIUM WHERE PERSONAL DATA ARE RETAINED
Personal data retained at EVOLOG are kept in a recording medium in accordance with the nature of the relevant data and our legal obligations.
The recording mediums that are generally used for the retention of personal data are listed below. However, some data may be kept in a different medium than the medium shown here due to their special characteristics or our legal obligations. In all cases, EVOLOG acts in the capacity of a Data Controller and processes and protects personal data in accordance with the Law, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
a) Printed Medium: Medium in which data is retained by printing on paper or microfilms
b) Local Digital Medium: Servers, hard or portable discs, optical discs and other digital medium available within EVOLOG
c) Cloud Environments: These are the medium that are not available within EVOLOG, but are used by EVOLOG and where internet-based systems encrypted with cryptographic methods are employed.
2.2. ENSURING THE SECURITY OF THE MEDIUM
In order to retain personal data securely and to prevent unlawful processing and access, EVOLOG takes all necessary technical and administrative measures in accordance with the nature of the relevant personal data and the medium in which it is retained.
These measures include but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data concerned and the medium in which it is kept.
2.2.1. Technical Measures
In all mediums where personal data is retained, EVOLOG takes the following technical measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
In the environments where personal data are kept, only up-to-date and secure systems that are in line with technological developments are used.
Security systems are used for the mediums where personal data are retained.
Security tests and investigations are carried out to identify security vulnerabilities in IT systems, and existing or potential risk issues identified at the end of the tests and investigations are eliminated.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained and all accesses are logged.
EVOLOG employs a sufficient number of technical personnel to ensure the security of the environments where personal data are retained.
2.2.2. Administrative Measures
In all mediums where personal data is retained, EVOLOG takes the following administrative measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
Efforts are being made to raise awareness of all EVOLOG employees who have access to personal data on information security, privacy of personal data and privacy of private life.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that personal data is passed on to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with the obligations in these protocols.
2.2.3. In-house Audits
As per Article No 12 of the Law, EVOLOG conducts in-house audits regarding the implementation of the provisions of the Law and the provisions of this Policy on the Retention and Destruction of Personal Data and the Policy on the Processing and Protection of Personal Data.
In the event that deficiencies or defects regarding the implementation of these provisions are detected during in-house audits, these deficiencies or defects shall be remedied immediately.
In case, during the audit or in any other way, it is understood that the personal data under the responsibility of EVOLOG is obtained by others illegally, EVOLOG shall notify the data subject and the Committee as soon as possible.
-
PART 3: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR RETENTION AND DESTRUCTION
3.1.1. Reasons for Retention of Personal Data
Personal data kept under the roof of EVOLOG are retained for the purposes and reasons specified herein in accordance with the Law and our Policy on Personal Data (you can access the relevant policy at the following address: www.evolog.com.tr).
3.1.2. Reasons for Destruction of Personal Data
Personal data retained by EVOLOG shall be deleted, destructed or anonymised ex officio in accordance with this Policy on Destruction of Personal Data upon the request of the data subject or in the event of the disappearance of the reasons listed in Article No 5 and Article No 6 of the Law.
The reasons listed in Article No 5 and Article No 6 of the Law are as follows:
a) If it is explicitly stipulated in the laws
b) If it is mandatory for the purpose of protecting the life and bodily integrity of a person or another person, whose consent does not have legal validity or who is not capable of expressing his/her consent due to actual impracticalities
c) If it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract
d) If it is mandatory for the data controller to fulfil its legal obligations
e) If it has been publicised by the data subject himself/herself
f) If data processing is mandatory for the establishment, exercise or protection of a right
g) If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedom of the data subject
3.2. METHODS OF DESTRUCTION OF PERSONAL DATA
EVOLOG shall ex officio delete, destruct or anonymise the personal data that it retains in accordance with the Law and other legislation and the Policy on Processing and Protection of Personal Data, in the event that the reasons requiring the processing of the data disappear, upon the request of the data subject or within the periods specified in this Policy on the Retention and Destruction of Personal Data.
The most common deletion, destruction and anonymisation techniques used by EVOLOG are listed below:
3.2.1.1 Methods of Deletion of Personal Data
Methods of Deletion for Personal Data Retained in Printed Medium
Blackout
Personal Data retained in printed medium is deleted by using the blackout method. The blackout procedure is performed by cutting out the personal data on the relevant document, where possible, and, where not possible, by making it invisible by using fixed ink in such a way that the data cannot be reversed and cannot be read by means of technological solutions.
Methods of Deletion for Personal Data Retained in Cloud Environments and Local Digital Mediums
Secure Deletion from the Software
Personal data retained in the cloud environments or local digital mediums are deleted by digital commands in such a way that they cannot be recovered again. Data deleted in this way cannot be accessed again.
3.2.1.2 Methods of Destruction for Personal Data
Methods of Destruction for Personal Data Retained in Printed Mediums
Physical Destruction
Documents kept in printed form are destroyed by document destruction machines in such a way that they cannot be brought together again.
Methods of Destruction for Personal Data Retained in Local Digital Mediums
Physical Destruction
It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverising. The data is rendered inaccessible by processes such as melting, burning, pulverising or passing the optical or magnetic media through a metal grinder.
De-magnetisation (Degauss)
It is the process of distorting the data on the magnetic medium in an unreadable way by exposing it to a high magnetic field.
Overwriting
Random data consisting of 0s and 1s are written at least seven times on the magnetic medium and rewritable optical media, preventing the old data from being read and recovered.
Methods of Destruction for Personal Data Retained in Cloud Environments
Secure Deletion from the Software
Personal Data retained in the cloud is deleted by digital command, never to be recovered again. And, when the cloud computing service relationship is terminated, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.
3.2.1.3. Methods of Anonymization for Personal Data
Anonymization refers to making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, including being associated with other data.
Removal of Variables
It is the removal of one or more of the direct identifiers that are included in the personal data of the data subject and that can be used to identify the data subject in any way.
This method can be used to anonymise personal data, as well as to delete personal data if there is information in the personal data that is not suitable for the purpose of data processing.
Regional Concealment
It is the process of deleting the information that may be distinctive for the data in the data table where personal data are collectively anonymised.
Generalization
It is the process of bringing together personal data belonging to many people and turning them into statistical data by removing the distinctive information.
Lower and Upper Limit Coding/Global Coding
For a certain variable, intervals for that variable are defined and categorised. If the variable does not contain a numeric value, then data close to each other in the variable are categorised.
Values within the same category are aggregated.
Micro-Aggregation
With this method, all records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset for the determined variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, the indirect identifiers in the data will be corrupted, thus making it difficult to associate the data with the data subject.
Data Hashing and Perturbation
Direct or indirect identifiers within the personal data are mixed (hashing) or distorted (perturbation) with other values and their relationship with the data subject is severed and they lose their identifying characteristics.
EVOLOG uses one or more of these anonymisation methods to anonymise personal data, depending on the nature of the relevant data. While using these anonymisation methods, EVOLOG may use K-Anonymity, L-Diversity and T-Closeness statistical methods.
3.3. DATA RETENTION AND DATA DESTRUCTION DEADLINES
3.3.1. Data Retention Period
DATA SUBJECT
DATA CATEGORY
DATA RETENTION PERIOD
Employee
Personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 50 (fifty) years after the expiry of the service contract.
Employee
Personnel information other than the personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 10 (ten) years starting from the beginning of the calendar year following the expiry of the service contract.
Employee
Data Contained in the Occupational Personal Health File
Such information shall be retained for the duration of the service contract and for a period of 30 (thirty) years after the expiry of the service contract.
Business Partner/Solution Partner/Consultant
Identity information obtained during the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and EVOLOG, contact details, financial information, voice recordings taken during telephone calls, and data regarding the employees of the Business Partner/Solution Partner/Consultant
Such information shall be retained for 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between the Business Partner/Solution Partner/Consultant and EVOLOG.
Visitors
Name, Surname, Turkish ID Number, Vehicle Licence Plate and camera recordings of the visitors taken at the entry to the physical site belonging to EVOLOG, voice recordings taken during phone calls
Such information shall be retained for 2 years.
Website Visitors
Name, Surname, E-mail Address, browsing behaviour information of the Website Visitors
Such information shall be retained for 2 years.
Employee Candidate
The information contained in the CV and job application form of the Employee Candidate
Such information shall be retained for a maximum of 2 years, up to the date at which the CV shall be out of date.
Intern (Student)
Information contained in the internship file of the intern
Such information shall be retained for a period of 10 (ten) years from the beginning of the calendar year following the continuation and completion of the internship relationship.
Customer
Name, Surname, Turkish ID Number, Contact Details of the Customer, payment information and methods, browsing movements information, audio recordings taken during telephone calls, product/service preferences, transaction history, special day information
Such information shall be retained for a period of 10 years as per Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code from the date of delivery of each product/service purchased by the Customer.
Customer
CCTV Footage, Vehicle Licence Plate Information
Such information shall be retained for 2 years.
Potential Customer
Identity information, contact details, financial information obtained during contract negotiations between the Potential Customer and EVOLOG for the establishment of a commercial relationship, audio recordings taken during telephone calls
Such information shall be retained for 2 years.
Institutions/Companies in Cooperation with EVOLOG (Supplier, Contract Manufacturer, Dealer/Franchise)
Identity information obtained during the execution of the commercial relationship between EVOLOG and the Institutions/Companies that EVOLOG is in cooperation with, contact details, financial information, audio recordings taken during telephone calls, employee data of the Institution/Company that EVOLOG is in cooperation with
Such information shall be retained for a period of 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between EVOLOG and the Institutions/ Companies with which EVOLOG is in cooperation.
* In the event that a longer time period is regulated pursuant to the legislation or a longer period is stipulated for statute of limitations, forfeiture period, retention periods and the like pursuant to the legislation, the periods specified in the provisions of the legislation shall be accepted as the maximum retention period.
3.3.2. Data Destruction Deadlines
In the first periodic destruction process following the date on which the obligation to delete, destruct or anonymise the personal data for which EVOLOG is responsible in accordance with the Law, the relevant legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data arises, EVOLOG deletes, destructs or anonymises the personal data.
When the data subject requests the deletion or destruction of his/her personal data by applying to EVOLOG pursuant to Article No 13 of the Law:
a) If all the conditions for processing personal data are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data subject to the request within 30 (thirty) days following the day of receipt of the request, explaining the reason for such deletion, destruction or anonymisation. In order for EVOLOG to be deemed to have received the request, the data subject must have made the request in full compliance with the Policy on Processing and Protection of Personal Data. In any case, the EVOLOG shall inform the data subject about the procedure.
b) If all the conditions for processing personal data have not disappeared, this request may be rejected by EVOLOG by explaining the reason in accordance with Paragraph No 3 of Article No 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
3.4. PERIODIC DESTRUCTION
If all the conditions for processing personal data specified in the Law are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data whose processing conditions are no longer applicable by means of an ex officio process to be carried out at recurring intervals as specified in this Policy on the Retention and Destruction of Personal Data.
Periodic destruction procedures for the first time shall start on 30.06.2019 and shall be repeated every 6 (six) months.
3.5. SUPERVISION OF THE LAWFULNESS OF THE DESTRUCTION PROCEDURES
EVOLOG carries out ex officio destruction procedures in accordance with the Law, other legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data, both upon request and in periodic destruction periods.
EVOLOG takes a number of administrative and technical measures in order to ensure that destruction is carried out in full compliance with these regulations.
3.5.1. Technical Measures
EVOLOG maintains technical tools and equipment suitable for each method of destruction set out in this policy.
EVOLOG ensures the security of the place where the destruction procedures are carried out.
EVOLOG keeps records of the access of the persons who realize the destruction procedures.
EVOLOG employs competent and experienced staff to deal with the destruction procedures or procures services from competent third parties when necessary.
3.5.2. Administrative Measures
EVOLOG makes efforts to raise awareness of its employees who will carry out the destruction process on information security, privacy of personal data and privacy of private life.
EVOLOG procures legal and technical consultancy services in order to follow the developments in the field of information security, privacy of private life, protection of personal data and secure destruction techniques and to take necessary actions.
In cases where EVOLOG outsources the destruction process to third parties due to technical or legal requirements, EVOLOG signs protocols with the relevant third parties for the protection of personal data and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
EVOLOG regularly audits whether the destruction procedures are carried out in line with the law and the conditions and obligations specified in this Policy on the Retention and Destruction of Personal Data, and takes the necessary actions.
EVOLOG keeps records of all transactions regarding the deletion, destruction and anonymisation of personal data and stores such records for at least three years, excluding other legal obligations.
PART 4: PERSONAL DATA COMMITTEE
EVOLOG shall establish a Personal Data Committee within itself. The Personal Data Committee is authorised and tasked to carry out the necessary actions and supervise the processes for the retention and processing of the data belonging to the data subjects in accordance with the law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data.
The Personal Data Committee consists of three persons: a manager, an administrative expert and a technical expert. The titles and job descriptions of EVOLOG employees working in the Personal Data Committee are listed below:
Title
Duty Description
Personal Data Committee Manager
The Personal Data Committee Manager is responsible for directing all kinds of planning, analysis, research, and risk determination studies in the projects carried out in the process of compliance with the Law, managing the processes to be carried out in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data, and deciding on the requests submitted by the data subjects.
PPD (Protection of Personal Data) Specialist (Technical and Administrative)
PPD Specialist is responsible for reporting the requests of the data subjects to the Personal Data Committee Manager so that the requests of the data subjects are examined and considered, for carrying out the transactions regarding the requests of the data subjects considered and decided by the Personal Data Committee Manager in line with the decision of the Personal Data Committee Manager, for auditing the retention and destruction procedures, and for reporting these audits to the Personal Data Committee Manager, and for the fulfilment of the retention and destruction procedures.
PART 5: UPDATE AND COMPLIANCE
EVOLOG reserves the right to make amendments to the Policy on Processing and Protection of Personal Data or this Policy on the Retention and Destruction of Personal Data due to amendments to the Law, in accordance with the decisions of the Company or in line with developments in the sector or in the field of informatics.
Amendments made to this Policy on the Retention and Destruction of Personal Data are immediately incorporated into the text and explanations regarding the amendments are explained at the end of the Policy.
5.1 NOTES ON AMENDMENTS
01.03.2019: The Policy on the Retention and Destruction of Personal Data is published.
*There are no older dated amendments.
PART 1: NATURE AND PURPOSE OF THE DATA DESTRUCTION POLICY
1.1. INTRODUCTION
This Policy on the Destruction of Personal Data is prepared for the purpose of determining the procedures and principles to be followed by EVOLOG regarding the deletion, destruction or anonymisation of personal data, which, as EVOLOG NAKLIYAT VE LOJISTIK HIZMETLER TIC LTD ŞTI (hereinafter referred to as ‘EVOLOG’), we hold in the capacity of Data Controller, in accordance with Law No 6698 on the Protection of Personal Data and other legislation.
In this context, the personal data of our employees, employee candidates, customers and all natural persons who for any reason whatsoever submit their personal data to EVOLOG are managed in accordance with the laws within the framework of the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
1.2. DEFINITIONS
Direct Identifiers
It refers to identifiers that, on their own, directly reveal, disclose and make distinguishable the person with whom they are associated.
Indirect Identifiers
It refers to identifiers that, in combination with other identifiers, reveal, disclose and make distinguishable the person with whom they are associated.
Data Subject
It refers to the natural person whose personal data is processed.
Destruction
It refers to the deletion, destruction or anonymisation of personal data.
Law
It refers to Law No 6698 (published in the Official Gazette dated 07.04.2016 and numbered 29677) on the Protection of Personal Data.
Regulation
It refers to the Regulation (published in the Official Gazette dated 28.10.2017 and numbered 30224) on the Deletion, Destruction or Anonymisation of Personal Data.
Committee
It refers to the Personal Data Protection Committee.
Recording Medium
It refers to any kind of medium containing personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.
Policy on Processing and Protection of Personal Data
It refers to the policy defining the procedures and principles regarding the management of personal data held by EVOLOG, which can be accessed at www.evolog.com.tr
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
.
PART 2: MEDIUM AND SAFETY PRECAUTIONS
2.1. MEDIUM WHERE PERSONAL DATA ARE RETAINED
Personal data retained at EVOLOG are kept in a recording medium in accordance with the nature of the relevant data and our legal obligations.
The recording mediums that are generally used for the retention of personal data are listed below. However, some data may be kept in a different medium than the medium shown here due to their special characteristics or our legal obligations. In all cases, EVOLOG acts in the capacity of a Data Controller and processes and protects personal data in accordance with the Law, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data.
a) Printed Medium: Medium in which data is retained by printing on paper or microfilms
b) Local Digital Medium: Servers, hard or portable discs, optical discs and other digital medium available within EVOLOG
c) Cloud Environments: These are the medium that are not available within EVOLOG, but are used by EVOLOG and where internet-based systems encrypted with cryptographic methods are employed.
2.2. ENSURING THE SECURITY OF THE MEDIUM
In order to retain personal data securely and to prevent unlawful processing and access, EVOLOG takes all necessary technical and administrative measures in accordance with the nature of the relevant personal data and the medium in which it is retained.
These measures include but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data concerned and the medium in which it is kept.
2.2.1. Technical Measures
In all mediums where personal data is retained, EVOLOG takes the following technical measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
In the environments where personal data are kept, only up-to-date and secure systems that are in line with technological developments are used.
Security systems are used for the mediums where personal data are retained.
Security tests and investigations are carried out to identify security vulnerabilities in IT systems, and existing or potential risk issues identified at the end of the tests and investigations are eliminated.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained and all accesses are logged.
EVOLOG employs a sufficient number of technical personnel to ensure the security of the environments where personal data are retained.
2.2.2. Administrative Measures
In all mediums where personal data is retained, EVOLOG takes the following administrative measures in accordance with the nature of the relevant data and the nature of the medium in which the data is retained:
Efforts are being made to raise awareness of all EVOLOG employees who have access to personal data on information security, privacy of personal data and privacy of private life.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that personal data is passed on to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with the obligations in these protocols.
2.2.3. In-house Audits
As per Article No 12 of the Law, EVOLOG conducts in-house audits regarding the implementation of the provisions of the Law and the provisions of this Policy on the Retention and Destruction of Personal Data and the Policy on the Processing and Protection of Personal Data.
In the event that deficiencies or defects regarding the implementation of these provisions are detected during in-house audits, these deficiencies or defects shall be remedied immediately.
In case, during the audit or in any other way, it is understood that the personal data under the responsibility of EVOLOG is obtained by others illegally, EVOLOG shall notify the data subject and the Committee as soon as possible.
-
PART 3: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR RETENTION AND DESTRUCTION
3.1.1. Reasons for Retention of Personal Data
Personal data kept under the roof of EVOLOG are retained for the purposes and reasons specified herein in accordance with the Law and our Policy on Personal Data (you can access the relevant policy at the following address: www.evolog.com.tr).
3.1.2. Reasons for Destruction of Personal Data
Personal data retained by EVOLOG shall be deleted, destructed or anonymised ex officio in accordance with this Policy on Destruction of Personal Data upon the request of the data subject or in the event of the disappearance of the reasons listed in Article No 5 and Article No 6 of the Law.
The reasons listed in Article No 5 and Article No 6 of the Law are as follows:
a) If it is explicitly stipulated in the laws
b) If it is mandatory for the purpose of protecting the life and bodily integrity of a person or another person, whose consent does not have legal validity or who is not capable of expressing his/her consent due to actual impracticalities
c) If it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract
d) If it is mandatory for the data controller to fulfil its legal obligations
e) If it has been publicised by the data subject himself/herself
f) If data processing is mandatory for the establishment, exercise or protection of a right
g) If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedom of the data subject
3.2. METHODS OF DESTRUCTION OF PERSONAL DATA
EVOLOG shall ex officio delete, destruct or anonymise the personal data that it retains in accordance with the Law and other legislation and the Policy on Processing and Protection of Personal Data, in the event that the reasons requiring the processing of the data disappear, upon the request of the data subject or within the periods specified in this Policy on the Retention and Destruction of Personal Data.
The most common deletion, destruction and anonymisation techniques used by EVOLOG are listed below:
3.2.1.1 Methods of Deletion of Personal Data
Methods of Deletion for Personal Data Retained in Printed Medium
Blackout
Personal Data retained in printed medium is deleted by using the blackout method. The blackout procedure is performed by cutting out the personal data on the relevant document, where possible, and, where not possible, by making it invisible by using fixed ink in such a way that the data cannot be reversed and cannot be read by means of technological solutions.
Methods of Deletion for Personal Data Retained in Cloud Environments and Local Digital Mediums
Secure Deletion from the Software
Personal data retained in the cloud environments or local digital mediums are deleted by digital commands in such a way that they cannot be recovered again. Data deleted in this way cannot be accessed again.
3.2.1.2 Methods of Destruction for Personal Data
Methods of Destruction for Personal Data Retained in Printed Mediums
Physical Destruction
Documents kept in printed form are destroyed by document destruction machines in such a way that they cannot be brought together again.
Methods of Destruction for Personal Data Retained in Local Digital Mediums
Physical Destruction
It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverising. The data is rendered inaccessible by processes such as melting, burning, pulverising or passing the optical or magnetic media through a metal grinder.
De-magnetisation (Degauss)
It is the process of distorting the data on the magnetic medium in an unreadable way by exposing it to a high magnetic field.
Overwriting
Random data consisting of 0s and 1s are written at least seven times on the magnetic medium and rewritable optical media, preventing the old data from being read and recovered.
Methods of Destruction for Personal Data Retained in Cloud Environments
Secure Deletion from the Software
Personal Data retained in the cloud is deleted by digital command, never to be recovered again. And, when the cloud computing service relationship is terminated, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.
3.2.1.3. Methods of Anonymization for Personal Data
Anonymization refers to making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, including being associated with other data.
Removal of Variables
It is the removal of one or more of the direct identifiers that are included in the personal data of the data subject and that can be used to identify the data subject in any way.
This method can be used to anonymise personal data, as well as to delete personal data if there is information in the personal data that is not suitable for the purpose of data processing.
Regional Concealment
It is the process of deleting the information that may be distinctive for the data in the data table where personal data are collectively anonymised.
Generalization
It is the process of bringing together personal data belonging to many people and turning them into statistical data by removing the distinctive information.
Lower and Upper Limit Coding/Global Coding
For a certain variable, intervals for that variable are defined and categorised. If the variable does not contain a numeric value, then data close to each other in the variable are categorised.
Values within the same category are aggregated.
Micro-Aggregation
With this method, all records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset for the determined variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, the indirect identifiers in the data will be corrupted, thus making it difficult to associate the data with the data subject.
Data Hashing and Perturbation
Direct or indirect identifiers within the personal data are mixed (hashing) or distorted (perturbation) with other values and their relationship with the data subject is severed and they lose their identifying characteristics.
EVOLOG uses one or more of these anonymisation methods to anonymise personal data, depending on the nature of the relevant data. While using these anonymisation methods, EVOLOG may use K-Anonymity, L-Diversity and T-Closeness statistical methods.
3.3. DATA RETENTION AND DATA DESTRUCTION DEADLINES
3.3.1. Data Retention Period
DATA SUBJECT
DATA CATEGORY
DATA RETENTION PERIOD
Employee
Personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 50 (fifty) years after the expiry of the service contract.
Employee
Personnel information other than the personnel information based on recruitment documents and notifications made to the Social Security Institution regarding the duration of service and wages
Such information shall be retained for the duration of the service contract and for a period of 10 (ten) years starting from the beginning of the calendar year following the expiry of the service contract.
Employee
Data Contained in the Occupational Personal Health File
Such information shall be retained for the duration of the service contract and for a period of 30 (thirty) years after the expiry of the service contract.
Business Partner/Solution Partner/Consultant
Identity information obtained during the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and EVOLOG, contact details, financial information, voice recordings taken during telephone calls, and data regarding the employees of the Business Partner/Solution Partner/Consultant
Such information shall be retained for 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between the Business Partner/Solution Partner/Consultant and EVOLOG.
Visitors
Name, Surname, Turkish ID Number, Vehicle Licence Plate and camera recordings of the visitors taken at the entry to the physical site belonging to EVOLOG, voice recordings taken during phone calls
Such information shall be retained for 2 years.
Website Visitors
Name, Surname, E-mail Address, browsing behaviour information of the Website Visitors
Such information shall be retained for 2 years.
Employee Candidate
The information contained in the CV and job application form of the Employee Candidate
Such information shall be retained for a maximum of 2 years, up to the date at which the CV shall be out of date.
Intern (Student)
Information contained in the internship file of the intern
Such information shall be retained for a period of 10 (ten) years from the beginning of the calendar year following the continuation and completion of the internship relationship.
Customer
Name, Surname, Turkish ID Number, Contact Details of the Customer, payment information and methods, browsing movements information, audio recordings taken during telephone calls, product/service preferences, transaction history, special day information
Such information shall be retained for a period of 10 years as per Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code from the date of delivery of each product/service purchased by the Customer.
Customer
CCTV Footage, Vehicle Licence Plate Information
Such information shall be retained for 2 years.
Potential Customer
Identity information, contact details, financial information obtained during contract negotiations between the Potential Customer and EVOLOG for the establishment of a commercial relationship, audio recordings taken during telephone calls
Such information shall be retained for 2 years.
Institutions/Companies in Cooperation with EVOLOG (Supplier, Contract Manufacturer, Dealer/Franchise)
Identity information obtained during the execution of the commercial relationship between EVOLOG and the Institutions/Companies that EVOLOG is in cooperation with, contact details, financial information, audio recordings taken during telephone calls, employee data of the Institution/Company that EVOLOG is in cooperation with
Such information shall be retained for a period of 10 years in accordance with Article No 146 of the Turkish Code of Obligations and Article No 82 of the Turkish Commercial Code during and after the termination of the business/commercial affairs between EVOLOG and the Institutions/ Companies with which EVOLOG is in cooperation.
* In the event that a longer time period is regulated pursuant to the legislation or a longer period is stipulated for statute of limitations, forfeiture period, retention periods and the like pursuant to the legislation, the periods specified in the provisions of the legislation shall be accepted as the maximum retention period.
3.3.2. Data Destruction Deadlines
In the first periodic destruction process following the date on which the obligation to delete, destruct or anonymise the personal data for which EVOLOG is responsible in accordance with the Law, the relevant legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data arises, EVOLOG deletes, destructs or anonymises the personal data.
When the data subject requests the deletion or destruction of his/her personal data by applying to EVOLOG pursuant to Article No 13 of the Law:
a) If all the conditions for processing personal data are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data subject to the request within 30 (thirty) days following the day of receipt of the request, explaining the reason for such deletion, destruction or anonymisation. In order for EVOLOG to be deemed to have received the request, the data subject must have made the request in full compliance with the Policy on Processing and Protection of Personal Data. In any case, the EVOLOG shall inform the data subject about the procedure.
b) If all the conditions for processing personal data have not disappeared, this request may be rejected by EVOLOG by explaining the reason in accordance with Paragraph No 3 of Article No 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
3.4. PERIODIC DESTRUCTION
If all the conditions for processing personal data specified in the Law are no longer applicable, EVOLOG deletes, destructs or anonymises the personal data whose processing conditions are no longer applicable by means of an ex officio process to be carried out at recurring intervals as specified in this Policy on the Retention and Destruction of Personal Data.
Periodic destruction procedures for the first time shall start on 30.06.2019 and shall be repeated every 6 (six) months.
3.5. SUPERVISION OF THE LAWFULNESS OF THE DESTRUCTION PROCEDURES
EVOLOG carries out ex officio destruction procedures in accordance with the Law, other legislation, the Policy on Processing and Protection of Personal Data and this Policy on the Retention and Destruction of Personal Data, both upon request and in periodic destruction periods.
EVOLOG takes a number of administrative and technical measures in order to ensure that destruction is carried out in full compliance with these regulations.
3.5.1. Technical Measures
EVOLOG maintains technical tools and equipment suitable for each method of destruction set out in this policy.
EVOLOG ensures the security of the place where the destruction procedures are carried out.
EVOLOG keeps records of the access of the persons who realize the destruction procedures.
EVOLOG employs competent and experienced staff to deal with the destruction procedures or procures services from competent third parties when necessary.
3.5.2. Administrative Measures
EVOLOG makes efforts to raise awareness of its employees who will carry out the destruction process on information security, privacy of personal data and privacy of private life.
EVOLOG procures legal and technical consultancy services in order to follow the developments in the field of information security, privacy of private life, protection of personal data and secure destruction techniques and to take necessary actions.
In cases where EVOLOG outsources the destruction process to third parties due to technical or legal requirements, EVOLOG signs protocols with the relevant third parties for the protection of personal data and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
EVOLOG regularly audits whether the destruction procedures are carried out in line with the law and the conditions and obligations specified in this Policy on the Retention and Destruction of Personal Data, and takes the necessary actions.
EVOLOG keeps records of all transactions regarding the deletion, destruction and anonymisation of personal data and stores such records for at least three years, excluding other legal obligations.
PART 4: PERSONAL DATA COMMITTEE
EVOLOG shall establish a Personal Data Committee within itself. The Personal Data Committee is authorised and tasked to carry out the necessary actions and supervise the processes for the retention and processing of the data belonging to the data subjects in accordance with the law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data.
The Personal Data Committee consists of three persons: a manager, an administrative expert and a technical expert. The titles and job descriptions of EVOLOG employees working in the Personal Data Committee are listed below:
Title
Duty Description
Personal Data Committee Manager
The Personal Data Committee Manager is responsible for directing all kinds of planning, analysis, research, and risk determination studies in the projects carried out in the process of compliance with the Law, managing the processes to be carried out in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Policy on the Retention and Destruction of Personal Data, and deciding on the requests submitted by the data subjects.
PPD (Protection of Personal Data) Specialist (Technical and Administrative)
PPD Specialist is responsible for reporting the requests of the data subjects to the Personal Data Committee Manager so that the requests of the data subjects are examined and considered, for carrying out the transactions regarding the requests of the data subjects considered and decided by the Personal Data Committee Manager in line with the decision of the Personal Data Committee Manager, for auditing the retention and destruction procedures, and for reporting these audits to the Personal Data Committee Manager, and for the fulfilment of the retention and destruction procedures.
PART 5: UPDATE AND COMPLIANCE
EVOLOG reserves the right to make amendments to the Policy on Processing and Protection of Personal Data or this Policy on the Retention and Destruction of Personal Data due to amendments to the Law, in accordance with the decisions of the Company or in line with developments in the sector or in the field of informatics.
Amendments made to this Policy on the Retention and Destruction of Personal Data are immediately incorporated into the text and explanations regarding the amendments are explained at the end of the Policy.
5.1 NOTES ON AMENDMENTS
01.03.2019: The Policy on the Retention and Destruction of Personal Data is published.
*There are no older dated amendments.
Our Services
© EvoLog™. All Rights Reserved.
Our Services
© EvoLog™. All Rights Reserved.
Our Services
© EvoLog™. All Rights Reserved.