Notice: Undefined index: HTTP_ACCEPT_LANGUAGE in /home/endergrup/public_html/enderaluminyum.com.tr/include/FrontClass.php on line 131
Personal Data Retention and Disposal Policy - Ender Aluminium
Ender Pvc Ve Alüminyum Yapı Elemanları San. ve Tic. A.Ş.
TR EN AR

Personal Data Retention and Disposal Policy

 

ENDER ALÜMİNYUM SANAYİ VE TİCARET ANONİM ŞİRKETİ

 

PERSONAL DATA

RETENTION AND DISPOSAL POLICY

 

 

CONTENTS

 

  1. PURPOSE 1
  2. RECORDING MEDIA WHERE PERSONAL DATA IS STORED 1
  3. EXPLANATIONS REGARDING REASONS REQUIRING RETENTION 1
  4. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA 2

4.1 Technical Measures 2

4.2 Administrative Measures 3

  1. MEASURES TAKEN REGARDING THE DISPOSAL OF PERSONAL DATA 4

5.1 Methods for Deletion, Destruction, and Anonymization of Personal Data 4

5.1.1 Deletion of Personal Data 4

5.1.2 Destruction of Personal Data 4

5.1.3 Anonymization of Personal Data 4

  1. PERSONAL DATA RETENTION AND DISPOSAL PERIODS 5
  2. PERIODIC DISPOSAL PERIODS 5
  3. PERSONNEL 5
  4. REVISION AND REPEAL 6
  5. ENTRY INTO FORCE 6

ANNEX 1- Data Retention and Disposal Periods 7

ANNEX 2- Table of Personnel Responsible for Personal Data Retention and Disposal 8

ANNEX 3- Internal Directive of the Personal Data Protection Committee 9

 


1. PURPOSE

 

This Personal Data Retention and Disposal Policy is issued by Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi (“Company”) to regulate the technical and administrative protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”) and the implementation of the provisions of the Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017 (“Regulation”) in cases where the conditions for processing personal data disappear.

 

2. RECORDING MEDIA WHERE PERSONAL DATA IS STORED

 

Personal data belonging to data subjects are stored securely by our company in the media listed below, in accordance with the relevant legislation, especially the provisions of the Law:

 

Electronic Media:

  • CRM
  • MS SQL Server
  • E-Mail Inbox
  • Microsoft Office Programs
  • Video Recording Devices (CCTV)

 

Physical Media:

  • Unit Cabinets
  • Folders
  • Archive

 

3. EXPLANATIONS REGARDING REASONS REQUIRING RETENTION

 

Personal data belonging to data subjects are stored securely by Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi especially for the purposes of:

  1. Sustainability of activities,
  2. Fulfillment of legal obligations,
  3. Planning and execution of employee rights and fringe benefits,
  4. Management of business relationships,
  5. Burden of proof as evidence in potential future legal disputes.

The data is stored in the physical or electronic media mentioned above within the framework of the limits specified in the Law and other relevant legislation.

 

Reasons requiring retention:

  1. Personal data being directly related to the establishment and performance of contracts,
  2. Establishment, exercise, or protection of a right through personal data,
  3. Legitimate interest of our company, provided that it does not harm the fundamental rights and freedoms of individuals,
  4. Fulfillment of any legal obligation of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi,
  5. Explicit stipulation of personal data retention in the legislation,
  6. Presence of explicit consent of the data subjects for retention activities requiring such consent.

In accordance with the Regulation, personal data belonging to data subjects shall be deleted, destroyed, or anonymized by Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi ex officio or upon request in the following cases:

 

  1. Amendment or repeal of the relevant legislative provisions constituting the basis for processing or storing personal data,
  2. Disappearance of the purpose requiring the processing or storage of personal data,
  3. Disappearance of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
  4. Withdrawal of consent by the relevant person in cases where processing occurs only based on the explicit consent condition,
  5. Acceptance by the data controller of the application made by the relevant person regarding the deletion, destruction, or anonymization of personal data within the framework of their rights in Article 11, paragraphs 2 (e) and (f) of the Law,
  6. Lodging a complaint with the Board and acceptance of this request by the Board in cases where the data controller rejects the application for deletion, destruction, or anonymization, or the response is found insufficient, or no response is given within the period stipulated by Law,
  7. Absence of any condition justifying the storage of personal data for a longer period, despite the expiration of the maximum period required for retention.

 

4. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

 

In accordance with Article 12 of the Law, Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi takes necessary technical and administrative measures to ensure the appropriate level of security to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure data preservation. In case the processed personal data is obtained by third parties through unlawful means despite all measures, the Company informs the relevant units and the Board as soon as possible.

 

4.1 Technical Measures

 

Network security and application security are ensured.

Security measures are taken within the scope of IT systems procurement, development, and maintenance.

Security of personal data stored in the cloud is ensured.

Disciplinary regulations containing data security provisions for employees are in place.

Training and awareness studies on data security are conducted periodically for employees.

Access logs are kept regularly.

Corporate policies on access, information security, use, retention, and disposal have been prepared and implemented.

Data masking measures are applied when necessary.

Confidentiality agreements are executed.

Authorizations of employees who change roles or leave the job are revoked.

Up-to-date anti-virus systems are used.

Firewalls are utilized.

Signed contracts include data security provisions.

Personal data security policies and procedures have been determined.

Personal data security issues are reported quickly.

Necessary security measures are taken regarding entries and exits to physical media containing personal data.

Physical media containing personal data are secured against external risks (fire, flood, etc.).

Security of environments containing personal data is ensured.

Personal data is minimized as much as possible.

User account management and authorization control systems are implemented and monitored.

In-house periodic and/or random audits are conducted.

Log records are kept without user intervention.

Existing risks and threats have been identified.

Protocols and procedures for the security of special categories of personal data are determined and implemented.

Special categories of personal data sent via e-mail are sent encrypted using KEP (Registered E-mail) or corporate accounts.

Intrusion detection and prevention systems are used.

Cybersecurity measures are taken and continuously monitored.

Encryption is performed.

Data processors/service providers are audited periodically regarding data security.

Data loss prevention (DLP) software is used.

 

4.2 Administrative Measures

  • Employees are trained on technical measures to prevent unlawful access to personal data.
  • Access and authorization processes are designed and implemented within the Company in accordance with legal compliance requirements on a business unit basis.
  • Clauses are added to all documents containing personal data, emphasizing the obligation to comply with the Law, non-disclosure, and the continuation of confidentiality even after the termination of the employment contract.
  • Employees are informed that they cannot disclose or use personal data contrary to the Law, and necessary undertakings are obtained from them.
  • Contracts with persons to whom personal data is transferred include provisions that the receiving party will take necessary security measures.
  • In case of unlawful acquisition of data by others, the situation is reported to the relevant person and the Board as soon as possible.
  • Employment of experienced personnel regarding data processing and providing necessary training to existing staff.
  • The Company performs or commissions necessary audits to ensure the implementation of Law provisions and eliminates identified vulnerabilities.

 

5. MEASURES TAKEN REGARDING THE DISPOSAL OF PERSONAL DATA

 

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi may delete or destroy personal data upon its own decision or the request of the data subject when processing reasons disappear. After deletion, the data will be inaccessible and unusable. The company will manage an effective data tracking process including identification of data to be deleted, relevant persons, and access methods.

 

5.1 Methods for Deletion, Destruction, and Anonymization of Personal Data

  • Deletion of Personal Data

 

Deletion is the process of making personal data inaccessible and unusable for relevant users. Methods include:

 

  • Personal data on paper will be blacked out, painted, cut, or erased.
  • Access rights for users to office files in central directories will be removed.
  • Rows or columns in databases will be deleted using the ‘Delete’ command.

When necessary, secure deletion will be performed with expert assistance.

 

5.1.2 Destruction of Personal Data

Destruction is making data unrecoverable by anyone through methods such as:

 

  • Physical Destruction
  • Destruction via paper shredder
  • De-magnetization: Exposing magnetic media to high magnetic fields to corrupt data beyond readability.

5.1.3 Anonymization of Personal Data

Anonymization is rendering data impossible to associate with an identifiable person even through matching. Methods include:

Masking: Removing basic identifiers from the data set.

Record Removal: Excluding singular data rows to ensure anonymity.

Regional Hiding: Hiding specific data that could create a unique combination.

Global Coding: Creating more general content (e.g., stating age instead of birth date).

Noise Addition: Adding deviations to numerical data (e.g., +/- 3kg deviation in weight data) to prevent viewing real values.

 

In accordance with Article 28 of the Law, anonymized data can be processed for research and statistics outside the scope of the Law without explicit consent.

 

6. PERSONAL DATA RETENTION AND DISPOSAL PERIODS

Personal data is stored for the periods specified in Annex-1. If a period is stipulated in legislation, it is observed. If not, the maximum period for the data category is applied, generally up to 10 years (statute of limitations under the Turkish Code of Obligations). Upon expiration, data is destroyed in the first periodic disposal cycle. Records of disposal are kept for at least three years.

7. PERIODIC DISPOSAL PERIODS

Pursuant to Article 11 of the Regulation, the periodic disposal period is determined as 6 months. Accordingly, periodic disposal is performed every June and December. Data will be deleted from documents, files, CDs, disks, or hard drives in a non-recoverable manner.

 

8. PERSONNEL

The titles, units, and job descriptions of personnel responsible for the retention and disposal process are determined in Annex-2. The Chairman of the Personal Data Protection Committee is authorized to represent the Company before law enforcement and courts. Each department head is responsible for supervising user compliance with this Policy.

 

9. REVISION AND REPEAL

In case of changes or repeal of this Policy, the new regulation will be announced on the Company's website.

 

10. ENTRY INTO FORCE

This Retention and Disposal Policy enters into force on the date of publication.

 

ANNEXES

ANNEX 1- Data Retention and Disposal Periods

ANNEX 2- Table of Personnel Responsible for Personal Data Retention and Disposal

ANNEX 3- Internal Directive of the Personal Data Protection Committee

 


 

ANNEX 1- Data Retention and Disposal Periods

Data Category

Retention Period

Disposal Period

Identity

10 years from the end of employment/legal relationship - 2 years for visitors

First periodic disposal cycle after retention period ends

Contact

10 years from transaction date or end of legal relationship

First periodic disposal cycle after retention period ends

Personnel (Employment)

10 years from termination of employment

First periodic disposal cycle after retention period ends

Legal Action

10 years from transaction date or end of legal relationship

First periodic disposal cycle after retention period ends

Customer Transaction

10 years from transaction date or end of legal relationship

First periodic disposal cycle after retention period ends

Physical Space Security

1 month

First periodic disposal cycle after retention period ends

Transaction Security

5 years from transaction date or end of legal relationship

First periodic disposal cycle after retention period ends

Financial Data

10 years from transaction date or end of legal relationship

First periodic disposal cycle after retention period ends

Health Data

10 years from termination of employment

First periodic disposal cycle after retention period ends

 

ANNEX 2- Table of Personnel Responsible for Personal Data Retention and Disposal

Personnel

Task

Responsibility

Personnel Officer

Application Supervisor

Ensuring compliance of internal processes with retention periods and managing disposal under periodic cycles.

Administrative and Financial Affairs Officer

Application Supervisor

Ensuring compliance of internal processes with retention periods and managing disposal under periodic cycles.

 

ANNEX 3- Internal Directive of the Personal Data Protection Committee

 

E-Catalog

Details

QUALITY DOCUMENTS

Details

SALES

Details