|PERSONAL DATA RETENTION AND DESTRUCTION POLICY
Prepared for STONE. All rights reserved. It may not be reproduced, distributed or used without permission.
1.1. Purpose 3
1.2. Scope 3
1.3. Abbreviations and Definitions 3
3. RECORDING MEDIUM 5
4. EXPLANATIONS ON RETENTION 5
4.1. Retention Purposes 6
4.2. Legal Grounds For Retention 7
5. COMPLIANCE 7
5.1. Personal Data Inventory 7
5.2. Maximum Retention Durations 7
5.3. Grounds For Destruction 10
5.4. List Of Recording medium In Which Personal Data Is Held 10
6. MEASURES FOR THE SAFE RETENTION AND DESTRUCTION OF PERSONAL DATA 11
6.1. Administrative Measures 11
6.2. Technical Measures 11
6.3. Periodic Destruction 11
7. PUBLICATION AND RETENTION OF POLICY 15
8. SANCTION 15
9. RELATION DOCUMENTS 15
10. UPDATE AND REVISION 15
11.ENACTMENT AND REPEAL OF THE POLICY 15
The purpose of the personal data retention and Disposal Policy is to set out the principles and standarts for STONETERROIR DOĞAL TAŞ VE MADENCİLİK SAN.ve TİC. A.Ş.’s (hereinafter referred to as STONE/Company) existing and potential customers, consumers, business partners, visitors, employees, employee candidates, cooperated current institution/organization employees and relevant third parties with respect to article 20 of the Turkish Constitution, Law on Protection of Personal Data numbered 6698, the Regulation on Erasure, Destruction or Anonymizing of Personal Data, the regulation on the Registry of Data Controllers and other secondary regulations of the Law numbered 6698.
The terms and principles in the policy cover all information and documents contained in physical and digital media that may be associated with a specific or identifiable natural person, as well as the principles for the retention and destruction of such information.
1.3. Abbreviations and Definitions
STONE, with all units and employees, is liable for performing the technical and administrative measures taken according to the Policy properly, actively supports the responsible units in educating and increasing the awareness, monitoring and continuous supervision of the unit employees, avoiding unlawful processing of personal data, avoiding unlawful access to personal data and taking technical and administrative measures to provide a secure and lawful data retention in all environments the data is processed.
Article 3 of the Law defines processing of personal data, Article 4 states that the personal data processed must be linked to the purpose of which they are processed, limited and restrained, and must be retained for the period of time required for the purpose of which they are processed, and in Article 5 and 6 the conditions of processing of personal data is listed. Accordingly, personal data is retained within the framework of the Company’s activities for a period of time as stipulated in the relevant legislation or in accordance with our processing purposes.
4.1. Data Retention Purposes
• To ensure the fulfillment of legal obligations as required by legal regulations,
• To communicate with natural / legal persons in business relationship with STONE,
• To be able to fulfill the obligation of proof as evidence in future legal disputes,
• To ensure the development and maintenance of human resources policies.
• Turkish Code of Obligations No. 6098,
• Social Insurance and General Health Insurance Law No. 5510,
• Occupational Health and Safety Law No. 6361,
• Law No. 4982 On Obtaining Information,
• Law No. 3071 on the use of the right to petition,
• Labor Law No. 4857,
• Regulation on Health and Safety Measures in Workplace Buildings and Built-ons,
• The data retention duration is determined by the Laws stated above and by other related secondary regulations and the data will be retained for that period of time.
5.1. Personal Data Inventory
In accordance with this policy, STONE clarifies and elaborates the personal data processing activities that it carries out based on business processes for its employees within the Data Controller Registry Information System; the personal data processing purpose and legal grounds, the data category, the recipient group transferred and the group of persons subject to the data, the maximum period of retention required for the purposes for which personal data is processed, data foreseen to be transferred to abroad and measures taken regarding data security. STONE undertakes to keep this inventory up to date in accordance with its principles in the Procedure.
5.2. Maximum Retention Periods
In the inventory, STONE clarifies and elaborates the categories of personal data that it processes based on business processes and how long the data categories should be retained in accordance with legal requirements and business purposes. STONE undertakes to keep the data inventory up to date within its policy principles and to process the data in accordance with the relevant personal data retention periods specified. Maximum periods required for the purpose for data processing are determined according to the procedures and principles below as stipulated in Regulation on the Registry of Data Controller and the Regulation on the Erasure, Destruction and Anonymizing of Personal Data:
• The duration of the legal relationship established with the person who requires the processing of personal data in the relevant data category will proceed,
• The duration that STONE’s legitimate interest will be valid in accordance with the Law and rules of bona fides, depending on the purpose for which the relevant data category is processed,
• The duration of the legal risks, costs and liabilities of retaining the relevant data category will continue depending on the purpose of processing,
• Whether the maximum retention period to be determined is suitable for keeping the relevant data category accurate and up-to-date,
• The duration that STONE has to retain personal data in the relevant data category as required by its legal obligation,
• STONE’s statute of limitations for asserting a right based on personal data in the relevant category of personal data is taken into account.
• We reserve the right to vary the duration according to the matters mentioned above and the kind of personal data to be processed, the retention and destruction periods for certain data are as follows:
5.3.Grounds For Destruction
In determining and implementing the maximum periods required for the purpose for which personal data is processed, STONE monitors the compliance of such periods with the information contained in the Personal Data Inventory and whether the maximum periods are exceeded or not. If the below-mentioned circumstances occur or after STONE realizes these circumstances occur, regardless of the maximum duration of time the purpose of processing personal data will be considered as disappeared; upon the request of the person concerned, the personal data will be erased, destroyed or anonymized by STONE:
• Change or annulment in the provisions of the relevant legislation which constitute the basis for the processing of personal data,
• The contract between the parties has never been established, the contract is not valid, the contract is terminated by itself, the contract is terminated or in the event of rescission of contract.
• Elimination of the purpose that requires the processing of personal data,
• The processing of personal data is against the Law or rules of bona fides,
• The withdrawal of the consent of the person concerned when processing personal data only takes place on the basis of explicit consent,
• The related person’s application according to Article 11, paragraph (e) and (f) of the Law is accepted by by the data controller,
• In the event of STONE rejects the application made by the person concerned for the erasure or destruction of his personal data, if STONE’s response is insufficient or if STONE does not respond within the period stipulated in the Law, a complaint is made to the Board and this request is found to be appropriate by the Board,
• Although the maximum period of time required to retain personal data has been passed, there are no conditions that justify storing personal data for longer periods of time,
• The elimination of the requirements of processing of personal data in Article 5 and 6 of the Law.
5.4.List Of Recording Mediums In Which Personal Data Is Retained
STONE demonstrates the recording environments which personal data is retained, based on business processes, and undertakes to keep this table up-to-date within its policy principles.
While STONE is responsible for taking technical and administrative measures to prevent the unsafe retention, unlawful processing of personal data, unlawful access to personal data and for the unlawful destruction of personal data, STONE is responsible for making these measures public and ensuring that they are implemented to the persons concerned.
• Fulfilling the obligation to inform the persons concerned before processing personal data and obtaining their explicit consent if necessary,
• Signing contracts which include necessary information safety, confidentiality and PPD related clauses while establishing a commercial or non-commercial contractual relationship with the third parties.
• Publication of the personal data retention and destruction policy,
• Analysis of activities and processes within STONE within the scope of compliance studies and determination of actions to be taken in the name of compliance with the Law,
• Creation of personal data inventory,
• Creation of classification and event management processes related to data protection,
• Detection of vulnerabilities in recording medium where personal data is kept and creation of screening process for taking actions,
• Using the necessary solutions to prevent malware from accessing the STONE network,
• Identify the risks to avoid unlawful processing of personal data,
• Ensure that technical measures are taken in accordance with these risks and for the measures taken making technical checks,
• Erased personal data to be inaccessible to relevant users and unavailable again taking the necessary measures.
• Penetration tests reveal the risks, threats, weaknesses and, if any, vulnerabilities to our Company’s information systems and the necessary precautions are taken.
• As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to Information Systems and authorization of users is made through security policies through the access and authorization Matrix and through the corporate Active Directory.
• Our Company is taking the necessary measures for the physical security of information systems equipment, software and data.
• Environmental threats to ensure the security of Information Systems hardware (system access control system permits entry of only authorized personnel in the room, 7/24 monitoring system, to ensure the physical safety that make up a local area network edge switch, fire extinguishing system, air conditioning system etc.) and software (firewalls, Intrusion prevention systems, network access control, systems that prevent malicious software, etc.) measures are taken.
• Risks to prevent illegal processing of personal data are determined, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
• Reporting and analysis studies related to access to personal data are carried out by establishing access procedures within the Company.
• Access to retention areas containing personal data is recorded and inappropriate access or access attempts are controlled.
• The Company takes the necessary measures to ensure that the erased personal data is inaccessible to the relevant users and cannot be used again.
• In the event that personal data is obtained illegally by others, an appropriate system and infrastructure has been established by the Company to inform the relevant person and the board.
• Security vulnerabilities are monitored and appropriate security patches are installed and information systems are kept up to date.
• Strong passwords are used in electronic media where personal data is processed.
• Secure logging systems are used in electronic environments where personal data is processed.
• Data backup programs are used to secure the retention of personal data.
• Access to personal data retained in electronic or non-electronic media is restricted according to the principles of access.
• The data is encrypted with SHA 256 Bit RSA algorithm by using HTTPS while reaching the web-site.
At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data shall be destroyed by the Board or upon the application of the related person by the following techniques in accordance with the provisions of the relevant legislation.
7.1. Erasure Of Personal Data
Personal data is erased in the following ways:
7.2. Destruction Of Personal Data
Personal data is destroyed by the Company in the following ways.
The anonymizing of personal data means that personal data cannot be associated with a specific or identifiable natural person under any circumstances, even if it is matched with other data.
To anonymize personal data; the personal data should be rendered as the ID cannot be associated with a specific or identifiable natural person even if the appropriate techniques ,with regard to the recording medium and related field activities, used; such as the personal data returned by data controller or the third parties and/or to match the data with other data.
7.4. Periodic Destruction
In accordance with Article 11 of the Regulation on the Erasure, Destruction or Anonymizing of Personal Data, the Board has set the period of periodic destruction as 6 months. Accordingly, STONE undertakes to periodically check the personal data it holds in it’s digital and physical environments in parallel with it’s personal data inventory, no later than 6 months (180 days), and to periodically erase, destroy or anonymize such data at repeated intervals when the purpose for which they are processed ends.
The policy may be published in two different medium, wet signed (printed paper) and electronic media, and may be publicly posted on STONE’s website.
For those who do not comply with the clauses above, a legal process or disciplinary process may be initiated in accordance with the nature of the situation.
• STONE Personal Data Inventory
• Article 20 of the Constitution
• Law No. 6698 on Protection of Personal Data and legislation
• Related secondary legislation
The policy is reviewed if needed and the sections will be updated by STONE if necessary.
The Policy is considered to be effective as of it’s publication on the Company’s website. In the event of a decision to repeal, old wet-signed copies of the Policy will be signed by the Board of Directors for cancellation (by stamping the cancellation or by writing the cancellation) and retained by the Company for at least 5 years.