PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Home/PERSONAL DATA RETENTION AND DESTRUCTION POLICY

 

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Prepared for STONE. All rights reserved. It may not be reproduced, distributed or used without permission.
 
 
 
CONTENT

1.INTRODUCTION 3

1.1. Purpose 3

1.2. Scope 3

1.3. Abbreviations and Definitions 3

2.LIABILITY 5

3. RECORDING MEDIUM 5

4. EXPLANATIONS ON RETENTION 5

4.1. Retention Purposes 6

4.2. Legal Grounds For Retention  7

5. COMPLIANCE 7

5.1. Personal Data Inventory 7

5.2. Maximum Retention Durations 7

5.3. Grounds For Destruction 10

5.4. List Of Recording medium In Which Personal Data Is Held 10

6. MEASURES FOR THE SAFE RETENTION AND DESTRUCTION OF PERSONAL DATA 11

6.1. Administrative Measures 11

6.2. Technical Measures 11

6.3. Periodic Destruction 11

7. PUBLICATION AND RETENTION OF POLICY 15

8. SANCTION 15

9. RELATION DOCUMENTS 15

10. UPDATE AND REVISION 15

11.ENACTMENT AND REPEAL OF THE POLICY 15
 
 
 
1.ENTRY

1.1. Purpose

The purpose of the personal data retention and Disposal Policy is to set out the principles and standarts for STONETERROIR DOĞAL TAŞ VE MADENCİLİK SAN.ve TİC. A.Ş.’s (hereinafter referred to as STONE/Company) existing and potential customers, consumers, business partners, visitors, employees, employee candidates, cooperated current institution/organization employees and relevant third parties with respect to article 20 of the Turkish Constitution, Law on Protection of Personal Data numbered 6698,  the Regulation on Erasure, Destruction or Anonymizing of Personal Data,  the regulation on the Registry of Data Controllers and other secondary regulations of the Law numbered 6698.

1.2. Scope

The terms and principles in the policy cover all information and documents contained in physical and digital media that may be associated with a specific or identifiable natural person, as well as the principles for the retention and destruction of such information.

1.3. Abbreviations and Definitions
 
 
 

Recipient Group The category of natural or legal person to whom personal data is transferred by the data controller.
Explicit Consent Consent to a particular subject, based on information and explained by free will.
Anonymizing Personal data cannot be associated with a specific or identifiable natural person under any circumstances, even by matching it with other data.
Worker Staff at STONE Companies.
Electronic Media Environments where personal data can be created, read, modified and written with electronic devices.
Non Electronic Media All written, printed, visual, etc. except electronic mediums.
Data Subject The natural person whose personal data is processed.
Destruction Erasure, destruction or anonymizing of personal data.
 
Law
Law No. 6698 On The Protection Of Personal Data.
Recording Medium Any medium in which personal data is processed in a completely or partially automated manner, or in a non-automated way, provided that it is part of any data recording system.
Personal Data Any information relating to the natural person who can be identified or identified.
Personal Data Processing Inventory The inventory that the data controller explain and detail the personal data processing activities that they carry out in accordance with their business processes; the personal data processing purposes and legal grounds, the data category, the transferred recipient group and the Data Subject Group, and the maximum retention period required for the purposes for which the personal data is processed, the personal data that is foreseen to be transferred abroad and measures taken regarding data security.
Processing Of Personal Data Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means
Board Personal Data Protection Board
Periodic Destruction In the event that all of the terms of the processing of personal data contained in the law are eliminated, the erasure, destruction or anonymizing will be performed at repeated intervals as set out in the policy of retention and destruction of personal data.
Policy Personal Data Retention and Destruction Policy
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Registry System Registration system in which personal data is structured according to certain criteria and processed.
Data Controller The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
VERBİS Data Controller Registry Information System
Regulation> Regulation on the Erasure, Destruction or Anonymizing of Personal Data published in the Official Journal of 28 October 2017.

 
 
 
2. LIABILITY

STONE, with all units and employees, is liable for performing the technical and administrative measures taken according to the Policy properly,  actively supports the responsible units in educating and increasing the awareness, monitoring and continuous supervision of the unit employees, avoiding unlawful processing of personal data, avoiding unlawful access to personal data and taking technical and administrative measures to provide a secure and lawful data retention in all environments the data is processed.
 
 
 
3.RECORDING MEDIUMS

 

Electronic Recording Mediums Non-Electronic Recording Mediums
v Servers (Active directory, backup, e – mail, database, web, file sharing etc.))

 

 

 

 

v Software (Office software, QDMS, P-Magic, CRM, VERBIS)

 

 

v Information security devices (Firewall, Intrusion Detection and blocking, log file, anti virus etc.)

 

 

 

 

v Personal computers (desktop, laptop)

 

v Mobile devices (phone, tablet etc.)

 

v Optical discs (CD, DVD etc.))

 

v Removable memory (USB, memory card, etc.))

v Printer, scanner, copier

v  Paper

 

v  Manual data recording systems (survey forms, visitor entry book)

 

v  Written mediums

v  Printed media mediums

v  Visual mediums

 
 
 
4 EXPLANATIONS ON DATA RETENTION

Article 3 of the Law defines processing of personal data, Article 4 states that the personal data processed must be linked to the purpose of which they are processed, limited and restrained, and must be retained for the period of time required for the purpose of which they are processed, and in Article 5 and 6 the conditions of processing of personal data is listed.  Accordingly, personal data is retained within the framework of the Company’s activities for a period of time as stipulated in the relevant legislation or in accordance with our processing purposes.

4.1. Data Retention Purposes
 
• To be able to perform work and operations as a result of signed contracts and protocols,

• To ensure the fulfillment of legal obligations as required by legal regulations,

• To communicate with natural / legal persons in business relationship with STONE,

• To be able to fulfill the obligation of proof as evidence in future legal disputes,

• To ensure the development and maintenance of human resources policies.
 
4.2.Legal grounds For Data Retention
 
• Law No. 6698 on Protection of Personal Data,

• Turkish Code of Obligations No. 6098,

• Social Insurance and General Health Insurance Law No. 5510,

• Occupational Health and Safety Law No. 6361,

• Law No. 4982 On Obtaining Information,

• Law No. 3071 on the use of the right to petition,

• Labor Law No. 4857,

• Regulation on Health and Safety Measures in Workplace Buildings and Built-ons,

• The data retention duration is determined by the Laws stated above and by other related secondary regulations and the data will be retained for that period of time.
 
 
 
5.COMPLIANCE

 5.1. Personal Data Inventory

In accordance with this policy, STONE clarifies and elaborates the personal data processing activities that it carries out based on business processes for its employees within the Data Controller Registry Information System; the personal data processing purpose and legal grounds, the data category, the recipient group transferred and the group of persons subject to the data, the maximum period of retention required for the purposes for which personal data is processed, data foreseen to be transferred to abroad and measures taken regarding data security. STONE undertakes to keep this inventory up to date in accordance with its principles in the Procedure.

5.2. Maximum Retention Periods

In the inventory, STONE clarifies and elaborates the categories of personal data that it processes based on business processes and how long the data categories should be retained in accordance with legal requirements and business purposes. STONE undertakes to keep the data inventory up to date within its policy principles and to process the data in accordance with the relevant personal data retention periods specified. Maximum periods required for the purpose for data processing are determined according to the procedures and principles below as stipulated in Regulation on the Registry of Data Controller and the Regulation on the Erasure, Destruction and Anonymizing of Personal Data:
 
• The duration required in general practice in all sectors that STONE is involved, including mould and scaffolding systems and other related sectors, for processing in relation to the relevant data category,

• The duration of the legal relationship established with the person who requires the processing of personal data in the relevant data category will proceed,

• The duration that STONE’s legitimate interest will be valid in accordance with the Law and rules of bona fides, depending on the purpose for which the relevant data category is processed,

• The duration of the legal risks, costs and liabilities of retaining the relevant data category will continue depending on the purpose of processing,

• Whether the maximum retention period to be determined is suitable for keeping the relevant data category accurate and up-to-date,

• The duration that STONE has to retain personal data in the relevant data category as required by its legal obligation,

• STONE’s statute of limitations for asserting a right based on personal data in the relevant category of personal data is taken into account.

• We reserve the right to vary the duration according to the matters mentioned above and the kind of  personal data to be processed, the retention and destruction periods for certain data are as follows:
 
 
 

PROCESS RETENTİON TIME TIME OF DESTRUCTION
Part of the contract process, and preservation of the convention 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Managing Of Human Resources Processes 10 years following termination of activity Within 180 days following the expiration of the retention period
Data retained under Labour Law 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Data collected under occupational health and safety legislation 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Data retained in scope of Social Security Institution legislation 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Documents that can be used in a claim/lawsuit related to occupational accident/occupational illness 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Execution of hardware and software access processes 2 years Within 180 days following the expiration of the retention period
Other data collected in accordance with relevant legislation Up to the period stipulated in the relevant legislation Within 180 days following the expiration of the retention period
Payment transactions 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
Personnel Financing Processes 10 years after the termination of the employment relationship Within 180 days following the expiration of the retention period
 

 

Log / Recording / Tracking Systems

 

 

10 years Within 180 days following the expiration of the retention period
Allocation of vehicles to employees

 

 

 

10 years Within 180 days following the expiration of the retention period
The relevant personal data is subject to a crime under the Turkish Penal Code or other criminal legislation. During the statute of limitations Within 180 days following the expiration of the retention period
 

 

Camera recordings

 

 

2 years Within 180 days following the expiration of the retention period
 

 

Filing of all kinds of documents

 

 

10 years Within 180 days following the expiration of the retention period

 
 

5.3.Grounds For Destruction

In determining and implementing the maximum periods required for the purpose for which personal data is processed, STONE monitors the compliance of such periods with the information contained in the Personal Data Inventory and whether the maximum periods are exceeded or not. If the below-mentioned circumstances occur or after STONE realizes these circumstances occur, regardless of the maximum duration of time the purpose of processing personal data will be considered as disappeared; upon the request of the person concerned, the personal data will be erased, destroyed or anonymized by STONE:

 

• Change or annulment in the provisions of the relevant legislation which constitute the basis for the processing of personal data,

• The contract between the parties has never been established, the contract is not valid, the contract is terminated by itself, the contract is terminated or in the event of rescission of contract.

• Elimination of the purpose that requires the processing of personal data,

• The processing of personal data is against the Law or rules of bona fides,

• The withdrawal of the consent of the person concerned when processing personal data only takes place on the basis of explicit consent,

• The related person’s application according to Article 11, paragraph (e) and (f) of the Law is accepted by  by the data controller,

• In the event of STONE rejects the application made by the person concerned for the erasure or destruction of his personal data, if STONE’s response is insufficient or if STONE does not respond within the period stipulated in the Law, a complaint is made to the Board and this request is found to be appropriate by the Board,

• Although the maximum period of time required to retain personal data has been passed, there are no conditions that justify storing personal data for longer periods of time,

• The elimination of the requirements of processing of personal data in Article 5 and 6 of the Law.

 

5.4.List Of Recording Mediums In Which Personal Data Is Retained

STONE demonstrates the recording environments which personal data is retained, based on business processes, and undertakes to keep this table up-to-date within its policy principles.
 
 
 
6.MEASURES FOR THE SAFE RETENTİON AND DESTRUCTION OF PERSONAL DATA

While STONE is responsible for taking technical and administrative measures to prevent the unsafe retention, unlawful processing of personal data,  unlawful access to personal data and for the unlawful destruction of personal data, STONE is responsible for making these measures public and ensuring that they are implemented to the persons concerned.

6.1.Administrative Measures

• Fulfilling the obligation to inform the persons concerned before processing personal data and obtaining their explicit consent if necessary,

• Signing contracts which include necessary information safety, confidentiality and PPD related clauses while establishing a commercial or non-commercial contractual relationship with the third parties.

• Publication of the personal data retention and destruction policy,

• Publication of Cookie Policy and general information text within STONE’s web site;

• Analysis of activities and processes within STONE within the scope of compliance studies and determination of actions to be taken in the name of compliance with the Law,

• Creation of personal data inventory,

6.2.Technical Measures
 
Creation of access management process to prevent unauthorized access to personal data,

Creation of classification and event management processes related to data protection,

• Detection of vulnerabilities in recording medium where personal data is kept and creation of screening process for taking actions,

• Using the necessary solutions to prevent malware from accessing the STONE network,

• Identify the risks to avoid unlawful processing of personal data,

• Ensure that technical measures are taken in accordance with these risks and for the measures taken making technical checks,

• Erased personal data to be inaccessible to relevant users and unavailable again taking the necessary measures.

• Penetration tests reveal the risks, threats, weaknesses and, if any, vulnerabilities to our Company’s information systems and the necessary precautions are taken.

•  As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.

•  Access to Information Systems and authorization of users is made through security policies through the access and authorization Matrix and through the corporate Active Directory.

•  Our Company is taking the necessary measures for the physical security of information systems equipment, software and data.

•  Environmental threats to ensure the security of Information Systems hardware (system access control system permits entry of only authorized personnel in the room, 7/24 monitoring system, to ensure the physical safety that make up a local area network edge switch, fire extinguishing system, air conditioning system etc.) and software (firewalls, Intrusion prevention systems, network access control, systems that prevent malicious software, etc.) measures are taken.

•  Risks to prevent illegal processing of personal data are determined, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.

• Reporting and analysis studies related to access to personal data are carried out by establishing access procedures within the Company.

•  Access to retention areas containing personal data is recorded and inappropriate access or access attempts are controlled.

• The Company takes the necessary measures to ensure that the erased personal data is inaccessible to the relevant users and cannot be used again.

• In the event that personal data is obtained illegally by others, an appropriate system and infrastructure has been established by the Company to inform the relevant person and the board.

•   Security vulnerabilities are monitored and appropriate security patches are installed and information systems are kept up to date.

• Strong passwords are used in electronic media where personal data is processed.

• Secure logging systems are used in electronic environments where personal data is processed.

• Data backup programs are used to secure the retention of personal data.

• Access to personal data retained in electronic or non-electronic media is restricted according to the principles of access.

• The data is encrypted with SHA 256 Bit RSA algorithm by using HTTPS while reaching the web-site.
 
 
 
7. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data shall be destroyed by the Board or upon the application of the related person by the following techniques in accordance with the provisions of the relevant legislation.

7.1. Erasure Of Personal Data

Personal data is erased in the following ways:
 
 

Data Recording Medium Description
Personal Data On Servers The personal data situated in the servers which the duration of retention has expired, the system administrator will remove the access privileges of the relevant users and erase them.
Personal Data Contained In Electronic Media Personal Data Contained In Electronic Media
Personal Data Contained In The Physical Environment The personal data contained in  the physical environment which the duration of retention has expired, it is in no way accessible to other employees except the unit manager responsible for the document archive and is rendered unusable again. In addition, the blackening process is applied by drawing/painting/wiping it unreadable.
Personal Data Contained In Portable Media The personal data contained in  Flash-based retention environments which the duration of retention has expired, shall be encrypted by system administrator and the data shall be retained in safe mediums by granting access only to the system administrator.

 
 

7.2. Destruction Of Personal Data

Personal data is destroyed by the Company in the following ways.
 
 

Data Recording Medium Description
Personal Data Contained In The Physical Environment The paper-based data that the duration of retention has expired shall be destructed by the shredder as non-recyclable.
Personal Data In Optical / Magnetic Media The personal data in optical and magnetic media which the duration of retention has expired, shall be melted, burned or pulverized. In addition, the magnetic media is passed through a special device and be a subject to a high magnetic field, making the data on it unreadable.

 
 
7.3. Anonymizing Of Personal Data

The anonymizing of personal data means that personal data cannot be associated with a specific or identifiable natural person under any circumstances, even if it is matched with other data.

To anonymize personal data; the personal data should be rendered as the ID cannot be associated with a specific or identifiable natural person even if the appropriate techniques ,with regard to the recording medium and related field activities, used; such as the personal data returned by data controller or the third parties and/or to match the data with other data.

 

7.4. Periodic Destruction

In accordance with Article 11 of the Regulation on the Erasure, Destruction or Anonymizing of Personal Data, the Board has set the period of periodic destruction as 6 months. Accordingly, STONE undertakes to periodically check the personal data it holds in it’s digital and physical environments in parallel with it’s personal data inventory, no later than 6 months (180 days), and to periodically erase, destroy or anonymize such data at repeated intervals when the purpose for which they are processed ends.
 
 
 
8.PUBLICATION AND RETENTİON OF THE POLICY

The policy may be published in two different medium, wet signed (printed paper) and electronic media, and may be publicly posted on STONE’s website.
 
 
 
9.SANCTION

For those who do not comply with the clauses above, a legal process or disciplinary process may be initiated in accordance with the nature of the situation.
 
 
 
10.RELATED DOCUMENTS

• STONE Personal Data Inventory

• Article 20 of the Constitution

• Law No. 6698 on Protection of Personal Data and legislation

• Related secondary legislation
 
 
 
11.UPDATE AND REVISION

The policy is reviewed if needed and the sections will be updated by STONE if necessary.
 
 
 
12. ENACTMENT AND REPEAL OF THE POLICY

The Policy is considered to be effective as of it’s publication on the Company’s website. In the event of a decision to repeal, old wet-signed copies of the Policy will be signed by the Board of Directors for cancellation (by stamping the cancellation or by writing the cancellation) and retained by the Company for at least 5 years.

 

Document Date: