ALL CATEGORIES

POLICY ON PERSONAL DATA STORAGE AND DESTRUCTION

I. INTRODUCTION 1.1. Purpose of the Policy

Pursuant to Article 20 of the Constitution titled "Privacy of Private Life" and the Law No. 6698 on the Protection of Personal Data ("Law") and the provisions of the regulations and notices in force, the purpose of this Policy is to process the personal data obtained by Kobi Uluslararası Tanıtım Ve Dağıtım Hizmetleri Sanayi Ticaret Anonim Şirketi , to protect the fundamental rights and freedoms of data owners (employee, employee candidates, members, suppliers, shareholders/partners, company officials, visitors, business partners, and other third parties), especially the privacy of private life, and to ensure that the data controller who processes the personal data performs data processing in accordance with the law, to determine the principles of the destruction process regarding the storage of the personal data obtained and, if necessary, deletion, destruction and anonymization.

1.2. Scope of the Policy

Based on the fact that all kinds of transactions such as obtaining all kinds of information regarding an identified or identifiable natural person as personal data by the Company as a data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the usage are accepted as data processing activities, the establishment of the procedures and principles of the destruction process for the deletion, destruction and anonymization of personal data, when necessary, following the data processing activity carried out by the company determines the scope of this Policy.

1.3. Implementation of the Policy and Relevant Legislation

This Policy has been prepared in accordance with the relevant legislation in force and especially the Law No. 6698 on the Protection of Personal Data, Regulation on Data Controllers Registry No. 30286, and Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224, and regulations, notices, decisions, and guides published by the Board. In case there is a change in the Law or other relevant legislation after the publication date of the Policy, and the Policy becomes incompatible with said change, amended provisions and rules will find the area of application. All notices, decisions, and guidelines published by the Board are followed by our Company, and the rules stipulated by the Policy are kept up to date.

1.4. Enforcement of the Policy

The policy has been published on the Company's website and entered into force on the date of its publication.

II. ISSUES REGARDING THE STORAGE AND DESTRUCTION OF PERSONAL DATA 2.1. Retention Periods of Personal Data

Personal data must be accurate and up to date when necessary in accordance with clauses (b) and (d) of Article 4 of the Law, and must be kept for the period required by the relevant legislation or for the purpose for which they are processed. In this context, your personal data, which are processed in accordance with the principles and rules to be observed in data processing activities and kept at our Company, are kept for the period required for the purpose for which they are processed; in case of deletion, destruction or anonymization of personal data, your personal data is deleted, destroyed, or anonymized within the first periodic destruction period following the date on which this obligation arises.

The periods for data storage and destruction processes by our company are included in Annex-2-Personal Data Retention Periods. Except for the periods specified in Annex-2, the period of time for periodic destruction is limited to a maximum of 6 months by our company.

Our company acts in accordance with the general principles set forth in article 4 of the Law and the technical and administrative measures set forth in article 12 in deleting, destroying or anonymizing your personal data.

All transactions regarding the deletion, destruction, or anonymization of personal data are recorded by us and are kept for at least 3 years in accordance with legal obligations.

Personal data specialist personnel assigned by the Company regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.

2.2. Obligation to Delete, Destroy, and Anonymize Personal Data

In accordance with the provisions of the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" published in the Official Gazette dated 28 October 2017 and numbered 30224 prepared by the Personal Data Protection Board, and in accordance with the Article 7 of the Law, Personal data processed by the company are deleted, destroyed, or anonymized ex officio or upon the request of the relevant data owner, in case the reasons requiring the processing of the data disappear.

During the deletion, destruction, or anonymization of personal data; necessary administrative and technical measures are taken, such as informing employees about information security and destruction processes, choosing the most appropriate method according to the nature of the data recording medium in which personal data is kept, carrying out regular and periodic maintenance and tracking studies regarding data security, using the most up-to-date destruction systems required in terms of technology and technique, giving automatic deletion commands, accessing deleted data, and removing the authority to reuse and restore the deleted data.

a) Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant users under no circumstances.

All necessary technical and administrative measures are taken to ensure that the deleted personal data is not accessible and reusable for the relevant users.

b) Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone under no circumstance. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

c) Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

All kinds of technical and administrative measures are taken by our Company to make your personal data anonymous, and it is anonymized by applying methods in accordance with our personal data retention and destruction policy.

2.3. Personal Data Recording Media

Personal data recording medium means that any media in which the personal data is processed by fully or partly automatic means or by non-automatic means provided they are part of a data recording system

Personal data related to data owner persons are stored securely by our Company in the following data registration media, in accordance with the relevant legislation, especially the provisions of the KVKK No. 6098, and within the framework of international data security principles:

a) Technical recording media:

• Computing environment,

• Central servers,

• Optical discs (CD, DVD, etc.),

• Removable memories (USB, Memory Card etc.),

• Information security devices and software,

• Fully or partially automatic data recording systems (Card readers, servers of face recognition machines and tools.)

b) Non-technical data recording media:

• Papers,

• Manual data recording systems

• Written, printed, visual media,

• Cabinets of relevant departments.

2.4. Deletion, Destruction, and Anonymization Techniques of Personal Data

Techniques for deletion, destruction or anonymization of personal data processed by our company are shown in the following and depending on the nature of the personal data processed, which of the techniques will be applied may vary.

For this, it is necessary that first of all, determining (1) the personal data that is the subject of deletion, destruction, or anonymization, determining (2) relevant users for each personal data using an access authorization and control matrix or a similar system, determining (3) the authorizations and methods of the relevant users such as access, retrieval, and reuse, closing and eliminating (4) the access, retrieval, re-use authorization and methods of the relevant users within the scope of personal data.

The procedure followed for deletion of personal data is as follows:

● Issuing a delete command in cloud or application-type solutions,

● Blackening, cutting, or making invisible data on paper environment,

● Deletion of data on removable media using appropriate software.

The procedure followed for destruction of personal data is as follows:

● Physical destruction by melting, burning, or pulverizing optical media and magnetic media,

● Other destruction processes in paper or electronic environment.

2.5. Reasons for Destruction of Personal Data

Personal data related to data owner persons are destroyed by the Company for purposes and reasons such as, but not limited to;

• The general principles in Article 4 of the Law,

• Changing the provisions of the relevant legislation, which is the basis for processing,

• Withdrawing the express consent of the person concerned in cases where the processing of personal data takes place only on the basis of express consent,

• Requesting the personal data to be destroyed by the data owner,

• Termination of legal obligations regarding the storage of personal data,

• The disappearance of the purpose that requires the processing or storage of personal data,

• The maximum period for keeping personal data has passed and there is no justifiable reason for continuing to keep personal data.

III. RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS 3.1. Rights of Personal Data Owner

In accordance with the Law No. 6698, in the capacity of data owner, you have the rights of:

• Learning whether your personal data is processed or not,

• If your personal data has been processed, requesting information regarding it,

• Learning the purpose of processing your personal data and whether they are used in accordance with the purpose,

• Knowing the third parties to whom personal data is transferred in domestic or abroad,

• Requesting correction of personal data if it is incomplete or incorrectly processed,

• Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7,

• Requesting notification of the third parties to whom personal data has been transferred, regarding the correction, deletion, or destruction of data in case of incomplete or incorrect processing,

• Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems, and

• Requesting the compensation of the damage in case of damage due to illegal processing of your personal data.

3.2. Exercise of Personal Data Owner's Rights

Requests by the data owner regarding the implementation of the Law should be sent to the Company in writing to the address of Musalla Bağları Mahallesi, Kule Caddesi, No:2/28, Selçuklu/Konya, or to the e-mail address of kvk@turkishexporter.net. In application requests, the "Relevant Person Application Form" published by the Company on the website must be used.

3.3. Our company's Response to Applications

When the relevant person refers to the Company and requests the deletion or destruction of his/her personal data;

• In case it is determined that all the conditions for processing personal data have been removed; the personal data subject to the request will be deleted, destroyed, or anonymized within thirty days at the latest and the relevant person will be informed.

• In case it is determined that the personal data subject to the request has been transferred to third parties, although all the conditions for processing personal data have been removed; Our company will notify the third party of this situation and will ensure that the necessary actions are taken before the third party.

• In case it is determined that the conditions for processing personal data have not disappeared; the request may be rejected by our Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically at the latest within thirty days from the notification.

ANNEX 1: Definitions

Explicit consent: the consent that is based on information and freely expressed regarding a particular subject:

Anonymizing: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Relevant Person: the real person whose personal data is processed,

Relevant User: Real or legal persons who process personal data within the data controller organization or in line with the authorization and instruction received from the data controller with the exception of the person or unit responsible for technical storage, protection, and backup of data,

Destruction: Deletion, destruction, or anonymization of personal data,

The Law: Personal Data Protection Law No. 6698 dated 24/3/2016

Darkening Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable real person,

Recording Medium: Any environment in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system,

Personal Data: All kinds of information related to an identified or identifiable real person.

The processing of personal data: All kinds of processes performed on personal data including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system,

Personal Data Retention and Destruction Policy: The policy taken as a basis by data controllers in order to determine the maximum period required for the objective of processing personal data and deletion, destroying, and anonymization of data,

Board :Personal Data Protection Board,

Institution: Personal Data Protection Authority,

Periodic Destruction: The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data storage and disposal policy in case all the conditions for processing personal data included in the law are eliminated,

Data recording system: Recording system in which personal data is processed by organizing according to certain criteria,

Data Controller: Real or legal person responsible for identifying the purposes and means of personal data processing and installing and managing data registry system.

Regulation: The Regulations on the Deletion, Destruction or Anonymization of Personal Data, numbered 30224

ifade eder.

ANNEX 2: Personal Data Retention Periods
Personal Data Source Time Legal Basis
Membership Registrations

10 Years

Law No. 6098

Customer Transaction Information (Call Records of Customers' Requests / Complaints / Suggestions, etc.)

10 Years

Turkish Code of Obligations No. 6098,

Personal Data Regarding Customers

3 Years

Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213

All Records Regarding Accounting and Financial Transactions

10 Years

Law No. 6102, Law No. 213

Personal Data Regarding Suppliers

10 Years After Legal Relationship Ended

Law No. 6102, Law No. 6098, and Law No. 213

Agreements

10 Years from The Termination of The Agreement

Law No. 6102, Law No. 6098, and Law No. 213

Personal Data Processed in Contractual Relationships (For ex: Name and Surname of Company Official, Signature Circular etc.)

10 Years from The Termination of The Agreement

Turkish Code of Obligations No. 6098,

Personal Data Regarding Tax Records

5 Year

Tax Procedure Law No. 213

Human Resources Processes

10 Years from the End of Legal Relationship

Labor Law No. 4857 and Related Legislation / Turkish Code of Obligations No. 6098

Data on Personal Files Stored under the Labor Law

10 Years from The Termination of The Business Relationship

Labor Law No. 4857 and Related Legislation / Turkish Code of Obligations No. 6098

Data Collected within the Scope of Occupational Health and Safety Legislation

(for ex: employment health tests, medical reports, OHS Trainings, Records of Occupational Health and Safety activities, etc.)

15 Years from The Termination of The Business Relationship

Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation

Job Application/Internship Application/If Application Is Not Accepted, Data on Candidate Applications

(For ex: Resume, Application form, etc.)

1 Year

Industry Customs are Applicable.

Data Processed in Accordance with Corporate Communication Activities for Employees

10 Years from The Termination of The Business Relationship

Industry Customs are Applicable.

Personal Data of Visitors

2 Year

Law No. 5651

Call Center Audio Recordings

3 Year

Law No. 6563 and Related Legislation

Commercial Electronic E-Mail Confirmation Records

1 Year from the Date of Withdrawal of Approval

Law No. 653, Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015

Personal Data Processed for Security Purposes in Accordance with CCTV Cameras

(Camera Records)

90 Day

Industry Customs are Applicable.

Traffic Information Processed During Use of Internet Network, Internet Access and Remote Connection

2 Year

Law No. 5651

Cookies and Logs

6 Months – Maximum 2 Years

Internet Law No. 5651

Traffic Information on Online Visitors

2 Yıl

Law No. 5651

Personal Data Protection Board Transactions

10 Year

Law No. 6698

Support Whatsapp Back to Top